The updates described are either important (where you need to take action) or of interest (you might want to know about these changes but you don't need to do anything).
Engine Yard Release Notes for July 29th, 2015
Major: Security Incompatibility with older Engine Yard Gentoo 2009
Action: You must upgrade to the minimum supported stack versions for Engine Yard Gentoo 2009 stacks in order to boot new instances.
Due to recent global improvements to SSL security, we have upgraded our security certificates. While this makes communication safer for everyone, the certificate and ciphers are incompatible with older stack versions on the Gentoo 2009 distribution (stable-v1, stable-v2 and stable-v3). This is due to the age of their OpenSSL version.
It is highly recommended that if you can't upgrade to the very latest version, which contains many performance and security fixes, you should at least upgrade to version 1.1.401 if you are on stable-v2 or stable-v3, or 1.1.409 if you are on stable-v1
For more information on Engine Yard Gentoo 2009, see the Engine Yard Gentoo 2009 docs.
Minor: Redis updates available for CVE-2015-4335
Action: If you use Redis 2.6.x or 2.8.x in your custom cookbooks, please update them to use the latest versions and apply them to your environments.
A vulnerability was discovered in Redis that allows users to break out of the Lua sandbox in Redis and execute arbitrary code. We have backported the patches and made them available as dev-db/redis-2.6.16-r2 and dev-db/redis-2.8.13-r1. If you use the 2.6.x or 2.8.x versions in your custom cookbooks, please update them to use these patched versions.
The redis that is installed by default on database instances with the use of custom cookbooks is version 2.4.x, which is not subject to this vulnerability.
For more information on this subject, see Engine Yard Custom Cookbooks and adding Redis to utility instance using custom cookbooks.
Engine Yard Stack Release Notes for July 16th, 2015
Hotfix: Engine Yard Gentoo 12.11 stack upgrade
Action: We recommend you test this hotfix in your staging environment as soon as possible if using the impacted by the issue below; then, when that is validated, click the Upgrade button for your production environment.
Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 12.11 stack. You can access it by using the Stack select field in the Environment UI:
It's best practice to upgrade your Engine Yard Gentoo 12.11 (stable-v4) stack regularly for the latest security and product updates. This week's updates:
- Node.js updated to v0.12.6 to fix out-of-band write in utf8 decoder (Node.js 0.12 branch available under Limited Availability -- request access via support ticket)
For more information on Engine Yard Gentoo 12.11, see the Engine Yard Gentoo 12.11 docs.
Engine Yard Stack Release Notes for July 9th, 2015
Hotfix: Engine Yard Gentoo 12.11 stack upgrade
Action: We recommend you test this hotfix in your staging environment as soon as possible; then, when that is validated, click the Upgrade button for your production environment.
Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 12.11 stack. You can access it by using the Stack select field in the Environment UI:
It's best practice to upgrade your Engine Yard Gentoo 12.11 (stable-v4) stack regularly for the latest security and product updates. This week's updates:
- Upgraded Nginx version 1.6.2 to statically use OpenSSL 1.0.1p. This is in response to a recently disclosed vulnerability in OpenSSL 1.0.1o.
For more information on Engine Yard Gentoo 12.11, see the Engine Yard Gentoo 12.11 docs.
Engine Yard Stack Release Notes for July 8th, 2015
Minor: Engine Yard Gentoo 2009 stack upgrade
Action: You apply the following changes the next time you click the Upgrade button for your Engine Yard Gentoo 2009 environment.
Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 2009 stack. You can access it by using the Stack select field in the Environment UI:
It's best practice to upgrade your Engine Yard Gentoo 2009 (stable-v2) stack regularly for the latest security and product updates. This week's updates:
- Makes lockrun v20120508 available on all configurations. We recommend using lockrun for all long-running cronjobs to prevent them from overlapping
- OpenSSL version updated to 0.9.8zg to address a number of security concerns.
For more information on Engine Yard Gentoo 2009, see the Engine Yard Gentoo 2009 docs.
Minor: Engine Yard Gentoo 12.11 stack upgrade
Action: You apply the following changes the next time you click the Upgrade button for your Engine Yard Gentoo 12.11 environment.
Note: For clarity, since we now have 2 Gentoo stacks, we refer to this stack as the Engine Yard Gentoo 12.11 stack. You can access it by using the Stack select field in the Environment UI:
It's best practice to upgrade your Engine Yard Gentoo 12.11 (stable-v4) stack regularly for the latest security and product updates.
- Makes lockrun v20120508 available on all configurations. We recommend using lockrun for all long-running cronjobs to prevent them from overlapping
- Updated curl with latest vulnerability patches (available as v7.26.0-r1).
- OpenSSL version updated to 1.0.0s to address a number of security concerns.
- Upgraded Nginx version 1.6.2 to statically use OpenSSL 1.0.1o (regardless of the version of openssl installed on the instance)
- Updates PHP version to 5.4.42
For more information on Engine Yard Gentoo 12.11, see the Engine Yard Gentoo 12.11 docs.
If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.
Comments
Article is closed for comments.