Aryeh Friedman wrote:
> What components (if any) are vulnerable to heartbleed?

OpenStack in itself is not vulnerable to heartbleed, however OpenStack
makes use of the host SSL library (libssl) and that one should be
properly patched.

If you have a production deployment of OpenStack, you should consider
the SSL private keys for your SSL endpoints potentially compromised and
revoke / renew them (primary key material).

Once you've done that, you should warn your users that passwords and
tokens used over that previously-flawed secure connection could have
been compromised and encourage them to change their own passwords and
expire existing tokens (secondary key material).

Regards,

-- 
Thierry Carrez (ttx)

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to