Folks - unfortunately there’s an error in my blog post last night. On Debian, you need to update both openssl and libssl, updating openssl by itself is not good enough. I knew this, had it in a draft but somehow that didn’t make it into the post. I’ll blame lack of sleep.
Blog post has been updated, and I’ve also added instructions for VMWare shops, thanks to Geoff Higginbottom. I can guarantee that current ACS is vulnerable, and I can attest that with our config (KVM) the notes in the blog post [1] will mitigate the vulnerability. 1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed On Apr 9, 2014, at 5:30 AM, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> wrote: On 09.04.2014 12:04, Abhinandan Prateek wrote: Latest jenkins build template have openSSL version 1.0.1e, the version that is compromised. Guys, do not panic. It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff. After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog: "aptitude changelog openssl" says: openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Enable checking for services that may need to be restarted * Update list of services to possibly restart -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> Tue, 08 Apr 2014 10:44:53 +0200 openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Add CVE-2014-0160.patch patch. CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> Mon, 07 Apr 2014 22:26:55 +0200 In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro<http://www.nux.ro> Stratosec<http://stratosec.co/> - Compliance as a Service o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
