I found that my openstack system was vulnerable by using the test found here: http://filippo.io/Heartbleed
I'm running on Ubuntu12.04, and this is an older openstack system (folsom). I fixed the vulnerability by updating package python-openssl and restarting apache (apt-get update, apt-get install python-openssl, service apache2 restart). Test then returned "OK" Openstack runs on python, so naturally that's how it became vulnerable. Not strictly an "openstack component", but it can/will make you system vulnerable to heartbleed. There could be other places that need updates too, but at least there's that one. On Wed, Apr 9, 2014 at 3:46 AM, Thierry Carrez <thie...@openstack.org>wrote: > Aryeh Friedman wrote: > > What parts of openstack (if any) are vulnerable to heartbleed? > > OpenStack in itself is not vulnerable to heartbleed, however OpenStack > makes use of the host SSL library (libssl) and that one should be > properly patched. > > If you have a production deployment of OpenStack, you should consider > the SSL private keys for your SSL endpoints potentially compromised and > revoke / renew them (primary key material). > > Once you've done that, you should warn your users that passwords and > tokens used over that previously-flawed secure connection could have > been compromised and encourage them to change their own passwords and > expire existing tokens (secondary key material). > > Regards, > > -- > Thierry Carrez (ttx) > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack