, April 09, 2014 11:07 AM
To:
dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)
I want to address a few things here directly (I think these are covered
in the
blog post, if not ping me)
* Current SSVM from 4.3
template
>copy. The latter is between 2 trusted IPs
>- Also this should only affect SSVM template from 4.2 onwards as only
>wheezy is affected
>
>Thanks
>Animesh
>-Original Message-
>From: John Kinsella [mailto:j...@stratosec.co]
>Sent: Wednesday, April 09, 2014 11:07
On 09.04.2014 18:34, John Kinsella wrote:
Folks - unfortunately there’s an error in my blog post last night. On
Debian, you need to update both openssl and libssl, updating openssl
by itself is not good enough. I knew this, had it in a draft but
somehow that didn’t make it into the post. I’ll bla
9, 2014 at 1:38 PM
To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>"
mailto:dev@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)
CPVM runs a monit daemon which is at least linked to libssl. I haven’t taken
more than peek at that yet - I thin
pache.org>
Subject: Re: OpenSSL vunerability (bleedheart)
I want to address a few things here directly (I think these are covered in the
blog post, if not ping me)
* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep
new ones.
In such cases, does not devel packages also needs to be updated say
openssl-devel?
Santhosh
From: John Kinsella [j...@stratosec.co]
Sent: Wednesday, April 09, 2014 2:06 PM
To: dev@cloudstack.apache.org
Subject: Re: OpenSSL vunerability (bleedheart
Thanks
> Animesh
>> -Original Message-
>> From: John Kinsella [mailto:j...@stratosec.co]
>> Sent: Wednesday, April 09, 2014 11:07 AM
>> To: dev@cloudstack.apache.org
>> Subject: Re: OpenSSL vunerability (bleedheart)
>>
>> I want to address a few t
k.apache.org
> Subject: Re: OpenSSL vunerability (bleedheart)
>
> I want to address a few things here directly (I think these are covered in the
> blog post, if not ping me)
>
> * Current SSVM from 4.3 is not good enough.
> * Yes, each SystemVM runs software that needs OpenSSL.
ilto:rayees.namathpon...@citrix.com>>
To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>"
mailto:dev@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM
Even if we get latest systemvm template from
http://jenkins.bui
It might be good to add the particulars of what in the system VMs have
problems, so people know what urgency there is. For example, if the
only system vm that has an SSL service running on it is console proxy,
then an immediate mitigation is to focus on updating that (or shut it
down). It doesn't
Folks - unfortunately there’s an error in my blog post last night. On Debian,
you need to update both openssl and libssl, updating openssl by itself is not
good enough. I knew this, had it in a draft but somehow that didn’t make it
into the post. I’ll blame lack of sleep.
Blog post has been upd
Shouldn't the parts using realhostip.com be using ssl? Atleast pre 4.3?
Erik
9. apr. 2014 18:47 skrev "Marcus" følgende:
> Maybe the console? I haven't used that in forever, does it do SSL?
>
> On Wed, Apr 9, 2014 at 10:31 AM, Nux! wrote:
> > On 09.04.2014 17:21, Marcus wrote:
> >>
> >> Should
Maybe the console? I haven't used that in forever, does it do SSL?
On Wed, Apr 9, 2014 at 10:31 AM, Nux! wrote:
> On 09.04.2014 17:21, Marcus wrote:
>>
>> Should just pull in the latest and work, if we're talking about
>> building a fresh system vm.
>>
>> Do we even have any services running in t
On 09.04.2014 17:21, Marcus wrote:
Should just pull in the latest and work, if we're talking about
building a fresh system vm.
Do we even have any services running in the system vm that require an
update? We don't do SSL termination with haproxy for load balancers
(yet), and I don't think that
e system template with openssl
> 1.0.1e-2+deb7u6 ?
>
> Regards,
> Rayees
>
> -Original Message-
> From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com]
> Sent: Wednesday, April 09, 2014 5:15 AM
> To:
> Subject: Re: OpenSSL vunerability (bleedheart)
To my knowledge, no code change is necessary just a rebuild. - j
Please excuse typos - sent from mobile device.
- Reply message -
From: "Rayees Namathponnan"
To: "dev@cloudstack.apache.org"
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:1
: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To:
Subject: Re: OpenSSL vunerability (bleedheart)
Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to
get 1.0.1e-2+deb7u6.
It will be great if some one can update
Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to
get 1.0.1e-2+deb7u6.
It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network.
-Harikrishna
On 09-Apr-2014, at 5:00 pm
On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version
that is compromised.
Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major
versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with
open
Hi,
I have tried upgrading openssl on our system vms(deployed using latest
template), the version is still OpenSSL 1.0.1e
Seems like apt does not have the binary of latest OpenSSL, may be we need to
compile the library from latest OpenSSL source(OpenSSL 1.0.1g) and use that
build in our syste
Latest jenkins build template have openSSL version 1.0.1e, the version
that is compromised.
On 09/04/14 2:30 pm, "Nux!" wrote:
>On 09.04.2014 06:55, John Kinsella wrote:
>> Just put up a blog post with mitigation instructions [1]. If anybody
>> has any issues with this, please let us know and we
On 09.04.2014 06:55, John Kinsella wrote:
Just put up a blog post with mitigation instructions [1]. If anybody
has any issues with this, please let us know and we’ll help/update as
appropriate.
We’re working on new SystemVM images, but that’s going to take us a
few days.
For those who run 4.3
>"
mailto:dev@cloudstack.apache.org>>
Date: Tuesday, April 8, 2014 at 10:55 PM
To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>"
mailto:dev@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)
Just put up a blog post with mitig
Just put up a blog post with mitigation instructions [1]. If anybody has any
issues with this, please let us know and we’ll help/update as appropriate.
We’re working on new SystemVM images, but that’s going to take us a few days.
John
1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_
Folks - we’re aware of the OpenSSL issue, and are working with vendors to
release mitigation instructions for ACS.
Hoping to have something out later this evening.
John
On Apr 8, 2014, at 8:12 AM, Paul Angus
mailto:paul.an...@shapeblue.com>> wrote:
A vulnerability has been found in OpenSSL
h
Looks like issues.apache.org is ok.
On Tue, Apr 8, 2014 at 12:34 PM, Marcus wrote:
> That's a better test.
>
> On Tue, Apr 8, 2014 at 11:54 AM, Nux! wrote:
>> On 08.04.2014 18:40, Marcus wrote:
>>>
>>> I haven't read up on the actual mechanism, but it basically tricks
>>> the server process int
That's a better test.
On Tue, Apr 8, 2014 at 11:54 AM, Nux! wrote:
> On 08.04.2014 18:40, Marcus wrote:
>>
>> I haven't read up on the actual mechanism, but it basically tricks
>> the server process into adding 64k of random memory from its process
>> space into the TLS heartbeat payload. That me
On 08.04.2014 18:40, Marcus wrote:
I haven't read up on the actual mechanism, but it basically tricks
the server process into adding 64k of random memory from its process
space into the TLS heartbeat payload. That means any documents shared
over an SSL app, credentials, session keys, and anything
I haven't read up on the actual mechanism, but it basically tricks
the server process into adding 64k of random memory from its process
space into the TLS heartbeat payload. That means any documents shared
over an SSL app, credentials, session keys, and anything else the
process touches.
Update y
On 08.04.2014 18:24, Marcus wrote:
For anyone who doesn't know, this is nightmare. People on tech sites
are scraping logins from each other and posting comments as other
users just to show they can, it's pretty powerful to be able to grab
random memory from a process using OpenSSL.
How exactly
I'd recommend not logging into issues.apache.org until it is fixed. I
believe Atlassian needs to do something with their shipped package
before that can happen.
openssl s_client -connect issues.apache.org:443 -tlsextdebug | grep heart
TLS server extension "heartbeat" (id=15), len=1
And further,
On 08.04.2014 16:12, Paul Angus wrote:
A vulnerability has been found in OpenSSL
http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1
If you want to test a site for it try http://filippo.io/Heartbleed/ (if
it's not loaded already)
There are already updates available where requi
A vulnerability has been found in OpenSSL
http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1
Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases
as
Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD
8.4, NetBSD 5.0.2 and Ope
33 matches
Mail list logo
