Engine Yard Developer Center

June 6, 2014: OpenSSL Security Advisory

OpenSSL have published the following security advisory:

https://www.openssl.org/news/secadv_20140605.txt

 

CVE-2014-0224 is the highest priority, which affects OpenSSL server versions 1.0.1 and 1.0.2-beta1.

 

Our Gentoo 2009 (v2) and Gentoo 2012 (v4) stacks use stable versions 0.9.8y and 1.0.0j respectively. These versions are not affected by this issue for incoming connections when acting as servers, but are vulnerable when acting as clients making outgoing connections to other vulnerable servers. Updated packages are being developed for stack upgrades and we shall make an announcement when the stack upgrades are released.

On our v4 stack, version 1.0.1 has previously been made available, although as stated is not installed by default. If you have previously upgraded to 1.0.1 then your OpenSSL is affected. Please standby to upgrade again once 1.0.1h has been made available.

 

Our Ubuntu (New UI) stack makes use of version 1.0.1, and so is affected:

http://www.ubuntu.com/usn/usn-2232-1/

Updated packages have now been released and OpenSSL can be upgrading by running the following on each of your instances (note: libopenssl1.0.0 is correct for OpenSSL version 1.0.1):

sudo apt-get update
sudo apt-get install openssl
sudo apt-get install libopenssl1.0.0

 

Amazon Elastic Load Balancers run version 1.0.1 and as such are affected, Amazon are currently in the process of upgrading the OpenSSL version on all ELBs:

http://aws.amazon.com/security/security-bulletins/openssl-security-advisory/

 

If you have any additional questions, concerns, or need any assistance from Engine Yard Support, please open a support ticket and we will be happy to assist.

 

 

Update 15th July

OpenSSL versions 0.9.8z_p1 and 1.0.0m have now been made available for our Gentoo 2009 (v2) and Gentoo 2012 (v4) stacks respectively, and our main Chef recipes updated to utilise these. To upgrade the OpenSSL version on your environments please use the environments' 'Upgrade' button to apply any pending updates.

As always, we recommend testing upgrades on a staging environment first, and please see https://support.cloud.engineyard.com/entries/21009922-Upgrade-an-Environment for more information regarding environment upgrades.

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    John Banks

    Any updates as to when this will be added to the Gentoo stack?  Or could you provide the manual steps to resolve this issue?

    It looks like Gentoo has made the update available.

    http://packages.gentoo.org/package/dev-libs/openssl

  • Avatar
    Kevin French

    John,

    Seeing your question here, and noticed we did not reply to you specifically. We did post an update into this article on July 15th. If that doesn't answer your questions, or if you have additional questions, please let me know. 

    Kevin

Please sign in to leave a comment.

Powered by Zendesk