March 18, 2015: 11:30am PDT (6:30pm UTC) -
Engine Yard is aware of the recently announced vulnerability in the OpenSSL protocol. The corrected versions are 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. The announcement’s high-risk vulnerability pertains only to 1.0.2, which is not applicable to Engine Yard’s application stacks, and therefore poses no risk. However, versions 1.0.1k, 1.0.0p, and 0.9.8zd are applicable as medium-severity risk. The following CVEs are involved, but detailed information has not been publicly disclosed at this time:
CVE-2015-0209
CVE-2015-0285
CVE-2015-0288
CVE-2015-0291
Once OpenSSL has released further information and the recommended patches, we will begin the process of reviewing, testing, and integrating.
We will update this Known Issue once more information is available.
March 23, 2015: 4:48pm PT
Engine Yard has updated all infrastructure-related environments with the OpenSSL patches. Furthermore, customers can now update their environment(s) with the recently released hotfix. Please see our release notes here for instructions and further details.
Important details about the hotfix
+ Services that use OpenSSL will need to be manually restarted after the Cloud dashboard upgrade is completed. Alternatively, a full restart of all instances will negate the need to follow the remaining notes in this list.
+ Nginx, ntpd, postgres and most other services can be restarted using their respective init scripts (i.e. `/etc/init.d/<NAME> restart`).
+ Restarting Nginx will restart Passenger (and the Rack or Rails processes it runs). PHP-FPM, Unicorn, and Puma processes may also need to be restarted if they use SSL for outgoing connection.
+ Restarting monit can be done via `monit quit; sleep 5; monit summary`.
+ Background job processes can either be manually restarted or instead simply redeploy the relevant application(s).
+ Database environments should have slaves restarted before the master.
Customers with any questions or concerns for this update should reach out to our Application Support engineers via a support ticket.
FYI, 1.0.1, 1.0.0 and 0.9.8 are vulnerable to CVE-2015-0204 (not listed) which has been reclassified to "High".
So my understanding is that EY stack is now vulnerable. See http://openssl.org/news/secadv_20150319.txt.
Hi Thibaut,
We already released updates for OpenSSL to address that CVE. Please see:
https://support.cloud.engineyard.com/entries/89894297-Engine-Yard-Release-Notes-March-2015
Hi Eduardo,
thanks for the precision! Sorry for the confusion.
-- Thibaut