Summary of Images and Templates Impacted by Heartbleed Bug

Stacklet has begun to rebuild images and templates of distros containing versions of openssl with the heartbleed bug (CVE-2014-0160). The number of images currently in the subscriber repo requiring a rebuild is large, however with one exception (see below) the images do not start public tls -enabled services when booted. Hence a fresh install is not exploitable via the heartbeat bug, allowing the end user to upgrade the system before enabling any public services (eg https). By design we install a minimal set of internet daemons and enable the bare minimum.

This article will address templates/images that are affected based on their initial configuration. Needless to say end users perform extensive modifications to the OS after deploying and should perform their own analysis of any services they have installed and enabled subsequent to downloading a stacklet file.

Serious impact: CentOS 6.5 Webmin/Virtualmin for SolusVM on x86-64.
This is the only template that starts a tls-service in the defaut runlevel. It has been unpublished pending a rebuild and should not be used. Email notifications have been sent to subscribers who have downloaded this template.

Moderate impact: Images that currently have an unpatched version of openssl but do not start a tls-protected service in their defaut runlevel. Image rebuilds are in progress. In the meantime fresh deployments of these images should be patched before starting any additional internet daemons that use openssl. Or stated simply: update the system before using it. (Note: this discussion focuses on the current repo, not EOL versions or files that have been moved to the archive. If you are unsure about a template please contact us).

    Arch 2014.01: Rebuilt as 2014.04. Templates with datestamp 20140420 are patched
    CentOS 6.5: Rebuild completed. Templates with datestamp 20140415 are patched
    Debian 7: Rebuild completed. Templates upgraded to version 7.4 with datestamp 20140412 are patched
    Fedora 20: Rebuild completed. Templates with datestamp 20140410 are patched
    Gentoo 2014.01: Rebuilt as 2014.04. Templates with datestamp 20140421 are patched
    OpenSuse 13.1: Rebuild completed. Templates with datestamp 20140417 are patched
    Scientific 6.5: Rebuild completed. Templates with datestamp 20140409 are patched
    Slackware 14.1: Rebuild completed. Templates with datestamp 20140417 are patched
    Ubuntu 10.04 LTS: does not require a rebuild.
    Ubuntu 12.04 LTS: Rebuild completed. Templates with datestamp 20140414 are patched
    Ubuntu 13.10: Will not rebuilt due to approaching upstream EOL. Moved to archive and flagged EOL.
    Ubuntu 14.04 LTS: Templates with datestamp 20140419 are patched.
    All other Ubuntu versions have been EOLed and will not be addressed.


© 2010-2013 Stacklet LLC - Privacy