The OpenSSL group has issued a vulnerability alert on June 5, 2014. You can find more information about CVE-2014-0224 at the Open SSL website.
Fix was provided for versions 0.9.8, 1.0.0 and 1.0.1:
- OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
- OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
- OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
This affects Parallels Containers for Windows with installed Parallels Dispatcher for management by PACI, and few components are compiled with vulnerable OpenSSL version. Updated OpenSSL will be included in the next hotfix.
This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:
- Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u7 and older , fixed in OpenSSL 1.0.1e-2+deb7u10 )
- Ubuntu 14.04 LTS (vulnerable OpenSSL 1.0.1f-1ubuntu2.1 and older , fixed in OpenSSL 1.0.1f-1ubuntu2.2 )
- Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.3 and older , fixed in OpenSSL 1.0.1e-3ubuntu1.4 )
Ubuntu 12.04 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.13 and older , fixed in OpenSSL 1.0.1-4ubuntu5.14 )
The package version for Debian/Ubuntu can be checked using the command:
~# dpkg -l openssl
RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.7 and older , fixed in OpenSSL 1.0.1e-16.el6_5.14 )
- Fedora 19 (fixed in OpenSSL 1.0.1e-38.fc19 )
Fedora 20 (fixed in OpenSSL 1.0.1e-38.fc20 )
The package version for Redhat/CentOS and Fedora can be checked using the command:
~# rpm -q openssl
Hardware node update
Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must apply OpenSLL updates by installing new
~# yum clean all; yum update openssl
Note: PSBM, PCS and PVC for Windows use SSL for internal communication with Dispatcher only, this significantly decreases risk of compromise but anyway it is highly recommended to apply fixes for SSL as it might be used by some other 3rd party services.
PVA Power Panel and PVA MN
Parallels Virtual Automation uses not vulnerable version of OpenSSL, and also it uses system OpenSSL for web-based services via Apache.
PVA Power Panel uses Apache web-server running on the host, update OpenSSL and restart of Apache on the hardware node is needed:
~# service httpd restart
PVA Management Node uses Apache and OpenSSL of the system it is installed into, update the installation according to its type and restart services:
in a container:
~# vzctl update CTID
in a virtual machine or on a physical server:
~# yum clean all; yum update
Applying fix to containers
For existing containers:
~# vzpkg update CTID
or a single package specifically:
~# vzpkg install CTID -p openssl
Operating system template cache(s) should be recreated:
~# vzpkg update cache DISTR-VER-ARCH
After the update is applied all the services relying on OpenSSL should be restarted:
- Restart SSH server, OpenVPN, Apache.
- Restart any other services running on the host operating system dependent on OpenSSL.