User: Password:
|
|
Subscribe / Log in / New account

Fedora status on "Heartbleed"

From:  Robyn Bergeron <rbergero-AT-redhat.com>
To:  announce-AT-lists.fedoraproject.org
Subject:  Status on CVE-2014-0160, aka "Heartbleed"
Date:  Mon, 7 Apr 2014 23:01:24 -0400 (EDT)
Message-ID:  <1074692524.963887.1396926084235.JavaMail.zimbra@redhat.com>
Archive-link:  Article

Greetings, Fedora community:

We're aware of the recently disclosed CVE-2014-0160 (aka 
"Heartbleed"):

https://bugzilla.redhat.com/show_bug.cgi?id=1085065 (openssl)
https://bugzilla.redhat.com/show_bug.cgi?id=1085066 (mingw-openssl)

The issue affects the currently supported Fedora 19 and Fedora 20 
releases. Updates for openssl packages are available now, and
mirrors near you will receive them shortly. If you do not want to 
wait for your local mirror to get updates, you can retrieve and 
install packages directly:

For Fedora 19 x86_64:
  yum -y install koji
  koji download-build --arch=x86_64 openssl-1.0.1e-37.fc19.1
  yum localinstall openssl-1.0.1e-37.fc19.1.x86_64.rpm

For Fedora 20 x86_64:
  yum -y install koji
  koji download-build --arch=x86_64 openssl-1.0.1e-37.fc20.1
  yum localinstall openssl-1.0.1e-37.fc20.1.x86_64.rpm

Substitute i686 for 32-bit systems, or armv7hl for ARM systems (F20
only).

Package updates for mingw-openssl will receive fixes shortly and 
we'll update the community when they are available. Note that 
Fedora 18, which is no longer supported by the Fedora community, is 
also affected by this issue. Fedora 17 and previous releases, also no 
longer supported, are not affected by this issue.

Fedora Release Engineering is currently regenerating AMIs and
qcow2/kvm images to include the fix.

The Fedora Infrastructure team is working to assess any additional 
impact, and will update the community as we develop more information.

Thanks for your patience as we work on this issue.

ACKNOWLEDGMENTS: Special thanks to Dennis Gilmore for quickly providing
package updates, and Major Hayden for providing the manual update
guidance above.


-Robyn Bergeron
-- 
announce mailing list
announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce

(Log in to post comments)

Fedora status on "Heartbleed"

Posted Apr 8, 2014 22:00 UTC (Tue) by DouglasJM (subscriber, #6435) [Link]

Anyone else have this fail with:
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-37.fc19.1 for package: 1:openssl-1.0.1e-37.fc19.1.x86_64
--> Finished Dependency Resolution
Error: Package: 1:openssl-1.0.1e-37.fc19.1.x86_64 (/openssl-1.0.1e-37.fc19.1.x86_64)

Fedora status on "Heartbleed"

Posted Apr 8, 2014 22:23 UTC (Tue) by bojan (subscriber, #14302) [Link]

I think you'll need to get/install libs package as well.

Fedora status on "Heartbleed"

Posted Apr 9, 2014 0:00 UTC (Wed) by zuki (subscriber, #41808) [Link]

Better instructions:

koji download-build --arch=x86_64 openssl-1.0.1e-37.fc20.1
sudo rpm -Fvh *rpm

Fedora status on "Heartbleed"

Posted Apr 9, 2014 1:06 UTC (Wed) by DouglasJM (subscriber, #6435) [Link]

ahhhh, thanks, I should have tried that instead of the single command referenced on the original page.

Fedora status on "Heartbleed"

Posted Apr 8, 2014 23:33 UTC (Tue) by mattdm (subscriber, #18) [Link]

Also, Fedora Cloud Images (both downloads and the AMI IDs referenced) are respun with the updated packages in place.

Fedora status on "Heartbleed"

Posted Apr 9, 2014 11:03 UTC (Wed) by mattdm (subscriber, #18) [Link]

Please see updated official announcement https://lists.fedoraproject.org/pipermail/announce/2014-April/003207.html (or on Fedora Magazine with pretty formatting.)

Fedora status on "Heartbleed"

Posted Apr 9, 2014 20:03 UTC (Wed) by jonabbey (guest, #2736) [Link]

My Fedora 20 systems just pulled openssl update packages.

Fedora status on "Heartbleed"

Posted Apr 9, 2014 22:22 UTC (Wed) by mattdm (subscriber, #18) [Link]

Good. :) Please remember to also restart services that use the library -- that doesn't happen automatically.

Fedora status on "Heartbleed"

Posted Apr 10, 2014 8:44 UTC (Thu) by davidstrauss (subscriber, #85867) [Link]

I think the LWN summary is wrong. Those packages were released, QAed (with acceleration), and signed through the normal process. The instructions in the email just allow admins to skip the wait for mirror propagation.


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds