Even if we get latest systemvm template from 
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has 
openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  
1.0.1e-2+deb7u6  ?

Regards,
Rayees 

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] 
Sent: Wednesday, April 09, 2014 5:15 AM
To: <dev@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to 
get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test 
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network. 

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <n...@li.nux.ro> wrote:

> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>> Latest jenkins build template have openSSL version 1.0.1e, the 
>> version that is compromised.
> 
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will 
> not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they 
> will backport stuff.
> 
> After I did an "apt-get update && apt-get install openssl" I got package 
> version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok 
> according to the changelog:
> 
> "aptitude changelog openssl" says:
> 
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
> 
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
> 
> -- Salvatore Bonaccorso <car...@debian.org>  Tue, 08 Apr 2014 10:44:53 
> +0200
> 
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
> 
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>    A missing bounds check in the handling of the TLS heartbeat extension
>    can be used to reveal up to 64k of memory to a connected client or
>    server.
> 
> -- Salvatore Bonaccorso <car...@debian.org>  Mon, 07 Apr 2014 22:26:55 
> +0200
> 
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then 
> they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
> 
> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro

Reply via email to