[Hub] OpenSSL vulnerability in 1.0.1 CVE-2014-0160 : CloudBlue Technical Support

Information

The OpenSSL group has issued a vulnerability alert on April 7, 2014. You can find more information about CVE-2014-0160 at the Open SSL website and at http://heartbleed.com/.

This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:

Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)
Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.1, fixed in OpenSSL 1.0.1e-3ubuntu1.2)
Ubuntu 12.10 (vulnerable OpenSSL 1.0.1c-3ubuntu2.6, fixed in OpenSSL 1.0.1c-3ubuntu2.7)
Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)

The package version for Debian/Ubuntu can be checked using the command:

~# dpkg -l openssl

RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)
Fedora 18 (OpenSSL 1.0.1e-4 without update: Fedora 18 is no longer supported)
Fedora 19 (fixed in OpenSSL 1.0.1e-37.fc19.1)
Fedora 20 (fixed in OpenSSL 1.0.1e-37.fc20.1)
OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)
OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)

The package version for Redhat/CentOS and OpenSUSE can be checked using the command:

~# rpm -q openssl

The following OSes are not vulnerable:

OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.
Debian Squeeze it not vulnerable, as stated in Debian Security Advisory DSA-2896.
Other supported Ubuntu releases are not vulnerable, as per Ubuntu Security Notice USN-2165-1.
Fedora is changing rapidly, and the status of the issue is available in the Fedora Magazine article.
Fixes for OpenSUSE provided in OpenSUSE Security Announcement openSUSE-SU-2014:0492-1.

Parallels products may be affected by this vulnerability. Here is the list of articles which you may refer to:

https://kb.parallels.com/120984- Parallels Automation products
https://kb.parallels.com/120986- Parallels Business Automation Standard
https://kb.parallels.com/120990- Plesk Panel family products
https://kb.parallels.com/120989- Server Virtualization products
https://kb.cloudblue.com/120996- Parallels Plesk Automation
https://kb.cloudblue.com/121017- H-Spere and Confixx

[Hub] OpenSSL vulnerability in 1.0.1 CVE-2014-0160

Information

Internal content

Related Articles