To my knowledge, no code change is necessary just a rebuild. - j Please excuse typos - sent from mobile device.
----- Reply message ----- From: "Rayees Namathponnan" <rayees.namathpon...@citrix.com> To: "dev@cloudstack.apache.org" <dev@cloudstack.apache.org> Subject: OpenSSL vunerability (bleedheart) Date: Wed, Apr 9, 2014 10:13 AM Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ? Is there any code change required to create system template with openssl 1.0.1e-2+deb7u6 ? Regards, Rayees -----Original Message----- From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] Sent: Wednesday, April 09, 2014 5:15 AM To: <dev@cloudstack.apache.org> Subject: Re: OpenSSL vunerability (bleedheart) Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6. It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network. -Harikrishna On 09-Apr-2014, at 5:00 pm, Nux! <n...@li.nux.ro> wrote: > On 09.04.2014 12:04, Abhinandan Prateek wrote: >> Latest jenkins build template have openSSL version 1.0.1e, the >> version that is compromised. > > Guys, do not panic. > It is my understanding that in Debian, just like in RHEL, major versions will > not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they > will backport stuff. > > After I did an "apt-get update && apt-get install openssl" I got package > version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok > according to the changelog: > > "aptitude changelog openssl" says: > > openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Enable checking for services that may need to be restarted > * Update list of services to possibly restart > > -- Salvatore Bonaccorso <car...@debian.org> Tue, 08 Apr 2014 10:44:53 > +0200 > > openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Add CVE-2014-0160.patch patch. > CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. > A missing bounds check in the handling of the TLS heartbeat extension > can be used to reveal up to 64k of memory to a connected client or > server. > > -- Salvatore Bonaccorso <car...@debian.org> Mon, 07 Apr 2014 22:26:55 > +0200 > > In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then > they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro
