OpenSSL have published the following security advisory:
CVE-2014-0224 is the highest priority, which affects OpenSSL server versions 1.0.1 and 1.0.2-beta1.
Our Gentoo 2009 (v2) and Gentoo 2012 (v4) stacks use stable versions 0.9.8y and 1.0.0j respectively. These versions are not affected by this issue for incoming connections when acting as servers, but are vulnerable when acting as clients making outgoing connections to other vulnerable servers. Updated packages are being developed for stack upgrades and we shall make an announcement when the stack upgrades are released.
On our v4 stack, version 1.0.1 has previously been made available, although as stated is not installed by default. If you have previously upgraded to 1.0.1 then your OpenSSL is affected. Please standby to upgrade again once 1.0.1h has been made available.
Our Ubuntu (New UI) stack makes use of version 1.0.1, and so is affected:
Updated packages have now been released and OpenSSL can be upgrading by running the following on each of your instances (note: libopenssl1.0.0 is correct for OpenSSL version 1.0.1):
sudo apt-get update
sudo apt-get install openssl
sudo apt-get install libopenssl1.0.0
Amazon Elastic Load Balancers run version 1.0.1 and as such are affected, Amazon are currently in the process of upgrading the OpenSSL version on all ELBs:
If you have any additional questions, concerns, or need any assistance from Engine Yard Support, please open a support ticket and we will be happy to assist.
Update 15th July
OpenSSL versions 0.9.8z_p1 and 1.0.0m have now been made available for our Gentoo 2009 (v2) and Gentoo 2012 (v4) stacks respectively, and our main Chef recipes updated to utilise these. To upgrade the OpenSSL version on your environments please use the environments' 'Upgrade' button to apply any pending updates.
As always, we recommend testing upgrades on a staging environment first.