I have relay(s) running in AWS. Will they auto-update? Do I need to take any action?
Sorry, I mean this in light of CVE-2014-0160 the Heartbleed OpenSSL bug
On Wed, Apr 9, 2014 at 11:04 AM, lee colleton lee@colleton.net wrote:
I have relay(s) running in AWS. Will they auto-update? Do I need to take any action?
Hi Lee,
You should have received an email from AWS. Yes you definitely need to take action. Here it is in case you missed it:
Dear Amazon EC2 Customer,
The OpenSSL project has recently announced a security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160). Customers that are running Linux and are using SSL could be affected by this issue and should upgrade to a fixed version as soon as possible.
If you're using the Amazon Linux AMI, you can simply run "sudo yum update openssl", and then restart any services using OpenSSL to protect any at-risk instances.
Find more details and update instructions from the websites of your Linux vendor of choice: * Amazon Linux AMI: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/ * Red Hat: https://rhn.redhat.com/errata/RHSA-2014-0376.html * Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Please note that several of the prominent Linux operating systems have released fixed packages that still bear the OpenSSL 1.0.1e name. Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly. Updates to 1.0.1g are likely to come later.
For more information about this vulnerability, please visit * AWS Security Bulletin page: https://aws.amazon.com/security/security-bulletins/ * OpenSSL's official advisory: https://www.openssl.org/news/secadv_20140407.txt * The Heartbleed Bug: http://heartbleed.com/
Thank you,
AWS Security
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
Regards,
Jason
On Wed, Apr 9, 2014 at 2:05 PM, lee colleton lee@colleton.net wrote:
Sorry, I mean this in light of CVE-2014-0160 the Heartbleed OpenSSL bug
On Wed, Apr 9, 2014 at 11:04 AM, lee colleton lee@colleton.net wrote:
I have relay(s) running in AWS. Will they auto-update? Do I need to take any action?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The Tor Cloud AMIs (if that's what you're using) are configured to auto-update and restart if necessary.
But it probably can't hurt to check that you have the fixed OpenSSL package.
Best regards,
Alexander
--- PGP Key: 0xC55A356B | https://dietrich.cx/pgp
On 2014-04-09 20:05, lee colleton wrote:
Sorry, I mean this in light of CVE-2014-0160 the Heartbleed OpenSSL bug
On Wed, Apr 9, 2014 at 11:04 AM, lee colleton lee@colleton.net wrote:
I have relay(s) running in AWS. Will they auto-update? Do I need to take any action?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [1]
Links: ------ [1] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Alexander Dietrich -
Jason Odoom -
lee colleton