John, I don’t believe that 4.0.0 – 4.1 are affected since they use Debian Squeeze-based systemvm templates. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883
From: John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co>> Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Date: Tuesday, April 8, 2014 at 10:55 PM To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: Re: OpenSSL vunerability (bleedheart) Just put up a blog post with mitigation instructions [1]. If anybody has any issues with this, please let us know and we’ll help/update as appropriate. We’re working on new SystemVM images, but that’s going to take us a few days. John 1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed On Apr 8, 2014, at 6:21 PM, John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co>> wrote: Folks - we’re aware of the OpenSSL issue, and are working with vendors to release mitigation instructions for ACS. Hoping to have something out later this evening. John On Apr 8, 2014, at 8:12 AM, Paul Angus <paul.an...@shapeblue.com<mailto:paul.an...@shapeblue.com><mailto:paul.an...@shapeblue.com>> wrote: A vulnerability has been found in OpenSSL http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1 Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases as Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2. It is fixed in OpenSSL 1.0.1g >From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9 "Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e." XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected. Regards, Paul Angus Senior Consultant / Cloud Architect S: +44 20 3603 0540<tel:+442036030540> | M: +4<tel:+447968161581>47711418784 | T: @CloudyAngus paul.an...@shapeblue.com<mailto:paul.an...@shapeblue.com><mailto:paul.an...@shapeblue.com> | www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<https://twitter.com/> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS Need Enterprise Grade Support for Apache CloudStack? Our CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the best 24/7 SLA for CloudStack Environments. Apache CloudStack Bootcamp training courses **NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/> 28th-29th May 2014, Bangalore. Classromm<http://shapeblue.com/cloudstack-training/> 16th-20th June 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/> 23rd-27th June 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/> 15th-20th September 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/> 22nd-27th September 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/> 1st-6th December 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/> 8th-12th December 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
