OpenSSL have published the following security advisory:
https://www.openssl.org/news/secadv/20160503.txt
CVE-2016-2108 and CVE-2016-2107 are the most serious issues, and all CVEs affect both OpenSSL 1.0.0 and 1.0.1 (except for 2107 which does not affect 1.0.0).
Our Gentoo 2012 (stable-v4) stack makes use of OpenSSL 1.0.0 or 1.0.1 and as such customers on this stack are affected.
In response OpenSSL 1.0.0t-r1 and 1.0.1r-r1 have now been made available on the stack.
To upgrade the OpenSSL version on your environments please use the environments' 'Upgrade' button to apply any pending updates.
As always, we recommend testing upgrades on a staging environment first, and please see https://support.cloud.engineyard.com/entries/21009922-Upgrade-an-Environment for more information regarding environment upgrades.
For customers making use of Amazon ELBs, OpenSSL has been upgraded on the ELBs, and as such no customer action is required to resolve this issue at the ELB level: http://aws.amazon.com/security/security-bulletins/openssl-security-advisory-may-2016/
Comments
Please sign in to leave a comment.