This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:
- Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)
- Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.1, fixed in OpenSSL 1.0.1e-3ubuntu1.2)
- Ubuntu 12.10 (vulnerable OpenSSL 1.0.1c-3ubuntu2.6, fixed in OpenSSL 1.0.1c-3ubuntu2.7)
Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)
The package version for Debian/Ubuntu can be checked using the command:
~# dpkg -l openssl
- RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)
- Fedora 18 (OpenSSL 1.0.1e-4 without update: Fedora 18 is no longer supported)
- Fedora 19 (fixed in OpenSSL 1.0.1e-37.fc19.1)
- Fedora 20 (fixed in OpenSSL 1.0.1e-37.fc20.1)
- OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)
OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)
The package version for Redhat/CentOS and OpenSUSE can be checked using the command:
~# rpm -q openssl
OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.
Debian Squeeze it not vulnerable, as stated in Debian Security Advisory DSA-2896.
Other supported Ubuntu releases are not vulnerable, as per Ubuntu Security Notice USN-2165-1.
Fedora is changing rapidly, and the status of the issue is available in the Fedora Magazine article.
Fixes for OpenSUSE provided in OpenSUSE Security Announcement openSUSE-SU-2014:0492-1.
Instructions to update OpenSSL on Management Node and Service Nodes are the same as described for Parallels Automation: http://kb.sp.parallels.com/en/120984 but with small differences.
The instruction for Parallels Plesk Automation is the following:
Update OpenSSL on Online Store, Parallels Plesk Automation Billing Application, and Parallels Plesk Automation Billing Database servers that are deployed on RHEL/CentOS 6.
Update OpenSSL on all Parallels Plesk Automation nodes that are deployed on RHEL/CentOS 6:
~# yum clean all; yum update openssl*
Restart Parallels Plesk Automation CP and services running on Management Node that are deployed on RHEL/CentOS 6:
~# /etc/init.d/ppa restart
- Reboot Parallels Plesk Automation slaves nodes that are deployed on RHEL/CentOS 6 to restart all services which use OpenSSL.
It is highly recommended to change passwords for administrative staff after update is finished.
SSL Certificate Revocations
We encourage all Paralells Business Automation Standard customers to revoke and reissue SSL certificates for at least Store and CP domains. The procedure of revocation and reinstallation of SSL certificates is out of the scope of this document.
- KB #121016 - summary article for all Parallels products