<div dir="ltr">Hi Lee,<div><br></div><div> You should have received an email from AWS. Yes you definitely need to take action. Here it is in case you missed it:</div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px">Dear Amazon EC2 Customer,</span><br style="font-family:arial,sans-serif;font-size:13px">



<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">The OpenSSL project has recently announced a security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160). Customers that are running Linux and are using SSL could be affected by this issue and should upgrade to a fixed version as soon as possible.</span><br style="font-family:arial,sans-serif;font-size:13px">



<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">If you’re using the Amazon Linux AMI, you can simply run “sudo yum update openssl”, and then restart any services using OpenSSL to protect any at-risk instances.</span><br style="font-family:arial,sans-serif;font-size:13px">



<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Find more details and update instructions from the websites of your Linux vendor of choice:</span><br style="font-family:arial,sans-serif;font-size:13px">



<span style="font-family:arial,sans-serif;font-size:13px">* Amazon Linux AMI: </span><a href="https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/" style="font-family:arial,sans-serif;font-size:13px" target="_blank">https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/</a><br style="font-family:arial,sans-serif;font-size:13px">



<span style="font-family:arial,sans-serif;font-size:13px">* Red Hat: </span><a href="https://rhn.redhat.com/errata/RHSA-2014-0376.html" rel="noreferrer" style="font-family:arial,sans-serif;font-size:13px" target="_blank">https://rhn.redhat.com/errata/RHSA-2014-0376.html</a><br style="font-family:arial,sans-serif;font-size:13px">



<span style="font-family:arial,sans-serif;font-size:13px">* Ubuntu: </span><a href="http://www.ubuntu.com/usn/usn-2165-1/" rel="noreferrer" style="font-family:arial,sans-serif;font-size:13px" target="_blank">http://www.ubuntu.com/usn/usn-2165-1/</a><br style="font-family:arial,sans-serif;font-size:13px">



<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Please note that several of the prominent Linux operating systems have released fixed packages that still bear the OpenSSL 1.0.1e name.  Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly. Updates to 1.0.1g are likely to come later.</span><br style="font-family:arial,sans-serif;font-size:13px">



<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">For more information about this vulnerability, please visit</span><br style="font-family:arial,sans-serif;font-size:13px">



<span style="font-family:arial,sans-serif;font-size:13px">* AWS Security Bulletin page: </span><a href="https://aws.amazon.com/security/security-bulletins/" style="font-family:arial,sans-serif;font-size:13px" target="_blank">https://aws.amazon.com/security/security-bulletins/</a><br style="font-family:arial,sans-serif;font-size:13px">



<span style="font-family:arial,sans-serif;font-size:13px">* OpenSSL’s official advisory: </span><a href="https://www.openssl.org/news/secadv_20140407.txt" rel="noreferrer" style="font-family:arial,sans-serif;font-size:13px" target="_blank">https://www.openssl.org/news/secadv_20140407.txt</a><br style="font-family:arial,sans-serif;font-size:13px">



<span style="font-family:arial,sans-serif;font-size:13px">* The Heartbleed Bug: </span><a href="http://heartbleed.com/" rel="noreferrer" style="font-family:arial,sans-serif;font-size:13px" target="_blank">http://heartbleed.com/</a><br style="font-family:arial,sans-serif;font-size:13px">



<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Thank you,</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">



<span style="font-family:arial,sans-serif;font-size:13px">AWS Security</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210</span><br>



</div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Regards,</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br>



</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Jason</span></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 9, 2014 at 2:05 PM, lee colleton <span dir="ltr"><<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>></span> wrote:<br>



<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Sorry, I mean this in light of CVE-2014-0160 the Heartbleed OpenSSL bug</div><div><div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 9, 2014 at 11:04 AM, lee colleton <span dir="ltr"><<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I have relay(s) running in AWS. Will they auto-update? Do I need to take any action?</div>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
<br></blockquote></div><br></div></div>