The OpenSSL group has issued a vulnerability alert on June 5, 2014. You can find more information about CVE-2014-0224 at the Open SSL website.
Fix was provided for versions 0.9.8, 1.0.0 and 1.0.1:
- OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
- OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
- OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
This affects Parallels Containers for Windows with installed Parallels Dispatcher for management by PACI, and few components are compiled with vulnerable OpenSSL version. Updated OpenSSL will be included in the next hotfix.
This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:
- Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u7 and older , fixed in OpenSSL 1.0.1e-2+deb7u10 )
- Ubuntu 14.04 LTS (vulnerable OpenSSL 1.0.1f-1ubuntu2.1 and older , fixed in OpenSSL 1.0.1f-1ubuntu2.2 )
- Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.3 and older , fixed in OpenSSL 1.0.1e-3ubuntu1.4 )
Ubuntu 12.04 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.13 and older , fixed in OpenSSL 1.0.1-4ubuntu5.14 )
The package version for Debian/Ubuntu can be checked using the command:
# dpkg -l openssl
RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.7 and older , fixed in OpenSSL 1.0.1e-16.el6_5.14 )
- Fedora 19 (fixed in OpenSSL 1.0.1e-38.fc19 )
Fedora 20 (fixed in OpenSSL 1.0.1e-38.fc20 )
The package version for Redhat/CentOS and Fedora can be checked using the command:
# rpm -q openssl
Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must apply OpenSLL updates by installing new
- Connect to the server via SSH
# yum clean all; yum update openssl
- To apply corresponding changes it is required to restart Apache and nginx services:
# service httpd restart; service nginx restart
Parallels Virtual Automation uses not vulnerable version of OpenSSL, and also it uses system OpenSSL for web-based services via Apache.
PVA Power Panel uses Apache web-server running on the host, update OpenSSL and restart of Apache on the hardware node is needed:
# service httpd restart
PVA Management Node uses Apache and OpenSSL of the system it is installed into, update the installation according to its type and restart services:
in a container:
# vzctl update CTID
in a virtual machine or on a physical server:
# yum clean all; yum update
Applying fix to containers
For existing containers:
# vzpkg update CTID
or a single package specifically:
# vzpkg install CTID -p openssl
Operating system template cache(s) should be recreated:
# vzpkg update cache DISTR-VER-ARCH
After the update is applied all the services relying on OpenSSL should be restarted:
- Restart SSH server, OpenVPN, Apache, nginx.
- Restart any other services running on the host operating system dependent on OpenSSL.