Thanks, that's great clarification.
On Wed, Apr 9, 2014 at 12:15 PM, Animesh Chaturvedi <animesh.chaturv...@citrix.com> wrote: > Courtesy Chiradeep > > > - CPVM uses JSSE so that should not be affected > - VR is not affected since it does not offer any HTTPS/TLS service. The RA > VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport > - The only vulnerable service is the volume upload service and template copy. > The latter is between 2 trusted IPs > - Also this should only affect SSVM template from 4.2 onwards as only wheezy > is affected > > Thanks > Animesh >> -----Original Message----- >> From: John Kinsella [mailto:j...@stratosec.co] >> Sent: Wednesday, April 09, 2014 11:07 AM >> To: dev@cloudstack.apache.org >> Subject: Re: OpenSSL vunerability (bleedheart) >> >> I want to address a few things here directly (I think these are covered in >> the >> blog post, if not ping me) >> >> * Current SSVM from 4.3 is not good enough. >> * Yes, each SystemVM runs software that needs OpenSSL. For the curious, >> see "lsof|grep -i ssl" >> * I'm not sure if the current SystemVM template on Jenkins is secure, we're >> testing that currently and will update once confirmed. >> * Assume if you see us releasing a blog post about a security issue, there's >> a >> security issue (QED HTH HAND) >> * Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP, >> it doesn't matter what version of OSSL you use, you're still insecure. Horse: >> beaten. >> * Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again. >> >> I think that covers the questions...running around doing a few things but >> this >> is very high on our priority list. >> >> (snarky comments are meant to be funny not insulting/condescending) >> >> On Apr 9, 2014, at 10:19 AM, John Kinsella >> <j...@stratosec.co<mailto:j...@stratosec.co>> wrote: >> >> To my knowledge, no code change is necessary just a rebuild. - j >> >> Please excuse typos - sent from mobile device. >> >> ----- Reply message ----- >> From: "Rayees Namathponnan" >> <rayees.namathpon...@citrix.com<mailto:rayees.namathpon...@citrix.co >> m>> >> To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" >> <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> >> Subject: OpenSSL vunerability (bleedheart) >> Date: Wed, Apr 9, 2014 10:13 AM >> >> Even if we get latest systemvm template from >> http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it >> has openssl 1.0.1e-2+deb7u4 ? >> >> Is there any code change required to create system template with openssl >> 1.0.1e-2+deb7u6 ? >> >> Regards, >> Rayees >> >> -----Original Message----- >> From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] >> Sent: Wednesday, April 09, 2014 5:15 AM >> To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> >> Subject: Re: OpenSSL vunerability (bleedheart) >> >> Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update >> openssl to get 1.0.1e-2+deb7u6. >> >> It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test >> OpenSSL HeartBleed Vulnerability. Right now I could not do it from our >> network. >> >> -Harikrishna >> >> On 09-Apr-2014, at 5:00 pm, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> >> wrote: >> >> On 09.04.2014 12:04, Abhinandan Prateek wrote: >> Latest jenkins build template have openSSL version 1.0.1e, the version that >> is >> compromised. >> >> Guys, do not panic. >> It is my understanding that in Debian, just like in RHEL, major versions will >> not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they >> will backport stuff. >> >> After I did an "apt-get update && apt-get install openssl" I got package >> version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok >> according to the changelog: >> >> "aptitude changelog openssl" says: >> >> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high >> >> * Non-maintainer upload by the Security Team. >> * Enable checking for services that may need to be restarted >> * Update list of services to possibly restart >> >> -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> >> Tue, 08 Apr 2014 10:44:53 >> +0200 >> >> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high >> >> * Non-maintainer upload by the Security Team. >> * Add CVE-2014-0160.patch patch. >> CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. >> A missing bounds check in the handling of the TLS heartbeat extension >> can be used to reveal up to 64k of memory to a connected client or >> server. >> >> -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> >> Mon, 07 Apr 2014 22:26:55 >> +0200 >> >> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then >> they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? >> >> Lucian >> >> -- >> Sent from the Delta quadrant using Borg technology! >> >> Nux! >> www.nux.ro<http://www.nux.ro> >> >> >> Stratosec<http://stratosec.co/> - Compliance as a Service >> o: 415.315.9385 >> @johnlkinsella<http://twitter.com/johnlkinsella> >
