Mirantis OpenStack

Upgrade OpenSSL packages

  1. Series 6.0.x
  2. Bug #1425171
Bug #1425171 reported by Fabrizio Soppelsa
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Opinion
Undecided
MOS Linux
Mirantis OpenStack 6.1
5.1.x
Opinion
Undecided
MOS Linux
Mirantis OpenStack 5.1.1-updates
6.0.x
Opinion
Undecided
MOS Linux
Mirantis OpenStack 6.0-updates

Bug Description

Evaluate an upgrade of the OpenSSL packages for 6.x and 5.1.x. to at least 1.0.1h.

In repos we have 1.0.1e (RPM) and 1.0.1-4 (DEB), which is equivalent to 1.0.1e.

Fabrizio Soppelsa (fsoppelsa)
tags: added: customer-found
Revision history for this message
Aleksander Mogylchenko (amogylchenko) wrote :

OpenSSL is a core package, and upgrading it will lead to rebuilding half of the distro. We will, however, install security updates from upstream:
https://bugs.launchpad.net/fuel/+bug/1418980

Changed in mos:
status: New → Opinion
Revision history for this message
Fabrizio Soppelsa (fsoppelsa) wrote :

Aleksander, your link doesn't open, can you please check.

Revision history for this message
Fabrizio Soppelsa (fsoppelsa) wrote :

The customer ran a scan and is requesting OpenSSL >= 1.0.1h to fix the following vulnerability:
* CVE-2014-0224

From their scan, it resulted that versions <1.0.1h may suffer also of:
* CVE-2010-5298
* CVE-2014-0195
* CVE-2014-0198
* CVE-2014-0221
* CVE-2014-3470

Vulnerabilities fixed in 1.0.1f:
* CVE-2014-0076

Revision history for this message
Aleksander Mogylchenko (amogylchenko) wrote :

All of provided CVEs are fixed in openssl package from precise. Full changelog may be found here:
http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.21/changelog

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.