It might be good to add the particulars of what in the system VMs have problems, so people know what urgency there is. For example, if the only system vm that has an SSL service running on it is console proxy, then an immediate mitigation is to focus on updating that (or shut it down). It doesn't do much good to have people go to the trouble of updating all of their routers if the routers aren't running any affected services. Certainly the instructions are helpful to be safe, but if we can give people the info about the exposure then they can decide.
On Wed, Apr 9, 2014 at 11:34 AM, John Kinsella <j...@stratosec.co> wrote: > Folks - unfortunately there’s an error in my blog post last night. On Debian, > you need to update both openssl and libssl, updating openssl by itself is not > good enough. I knew this, had it in a draft but somehow that didn’t make it > into the post. I’ll blame lack of sleep. > > Blog post has been updated, and I’ve also added instructions for VMWare > shops, thanks to Geoff Higginbottom. > > I can guarantee that current ACS is vulnerable, and I can attest that with > our config (KVM) the notes in the blog post [1] will mitigate the > vulnerability. > > 1: > https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed > > On Apr 9, 2014, at 5:30 AM, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> > wrote: > > On 09.04.2014 12:04, Abhinandan Prateek wrote: > Latest jenkins build template have openSSL version 1.0.1e, the version > that is compromised. > > Guys, do not panic. > It is my understanding that in Debian, just like in RHEL, major versions will > not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they > will backport stuff. > > After I did an "apt-get update && apt-get install openssl" I got package > version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok > according to the changelog: > > "aptitude changelog openssl" says: > > openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Enable checking for services that may need to be restarted > * Update list of services to possibly restart > > -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> Tue, > 08 Apr 2014 10:44:53 +0200 > > openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Add CVE-2014-0160.patch patch. > CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. > A missing bounds check in the handling of the TLS heartbeat extension > can be used to reveal up to 64k of memory to a connected client or > server. > > -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> Mon, > 07 Apr 2014 22:26:55 +0200 > > In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then > they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro<http://www.nux.ro> > > Stratosec<http://stratosec.co/> - Compliance as a Service > o: 415.315.9385 > @johnlkinsella<http://twitter.com/johnlkinsella> >