Greetings, Fedora community:
We're aware of the recently disclosed CVE-2014-0160 (aka "Heartbleed"):
https://bugzilla.redhat.com/show_bug.cgi?id=1085065 (openssl) https://bugzilla.redhat.com/show_bug.cgi?id=1085066 (mingw-openssl)
The issue affects the currently supported Fedora 19 and Fedora 20 releases. Updates for openssl packages are available now, and mirrors near you will receive them shortly. If you do not want to wait for your local mirror to get updates, you can retrieve and install packages directly:
For Fedora 19 x86_64: yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-37.fc19.1 yum localinstall openssl-1.0.1e-37.fc19.1.x86_64.rpm
For Fedora 20 x86_64: yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-37.fc20.1 yum localinstall openssl-1.0.1e-37.fc20.1.x86_64.rpm
Substitute i686 for 32-bit systems, or armv7hl for ARM systems (F20 only).
Package updates for mingw-openssl will receive fixes shortly and we'll update the community when they are available. Note that Fedora 18, which is no longer supported by the Fedora community, is also affected by this issue. Fedora 17 and previous releases, also no longer supported, are not affected by this issue.
Fedora Release Engineering is currently regenerating AMIs and qcow2/kvm images to include the fix.
The Fedora Infrastructure team is working to assess any additional impact, and will update the community as we develop more information.
Thanks for your patience as we work on this issue.
ACKNOWLEDGMENTS: Special thanks to Dennis Gilmore for quickly providing package updates, and Major Hayden for providing the manual update guidance above.
-Robyn Bergeron
----- Original Message -----
From: "Robyn Bergeron" rbergero@redhat.com To: announce@lists.fedoraproject.org Sent: Monday, April 7, 2014 8:01:24 PM Subject: Status on CVE-2014-0160, aka "Heartbleed"
Greetings, Fedora community:
We're aware of the recently disclosed CVE-2014-0160 (aka "Heartbleed"):
https://bugzilla.redhat.com/show_bug.cgi?id=1085065 (openssl) https://bugzilla.redhat.com/show_bug.cgi?id=1085066 (mingw-openssl)
The issue affects the currently supported Fedora 19 and Fedora 20 releases. Updates for openssl packages are available now, and mirrors near you will receive them shortly. If you do not want to wait for your local mirror to get updates, you can retrieve and install packages directly:
For Fedora 19 x86_64: yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-37.fc19.1 yum localinstall openssl-1.0.1e-37.fc19.1.x86_64.rpm
For Fedora 20 x86_64: yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-37.fc20.1 yum localinstall openssl-1.0.1e-37.fc20.1.x86_64.rpm
Substitute i686 for 32-bit systems, or armv7hl for ARM systems (F20 only).
Additionally, if you would like signed packages, you can retrieve and install those signed packages directly as well:
For Fedora 19 x86_64: yum -y install koji koji download-build --key=fb4b18e6 --arch=x86_64 openssl-1.0.1e-37.fc19.1 yum localinstall openssl-1.0.1e-37.fc19.1.x86_64.rpm
For Fedora 20 x86_64: yum -y install koji koji download-build --key=246110c1 --arch=x86_64 openssl-1.0.1e-37.fc20.1 yum localinstall openssl-1.0.1e-37.fc20.1.x86_64.rpm
Package updates for mingw-openssl will receive fixes shortly and we'll update the community when they are available. Note that Fedora 18, which is no longer supported by the Fedora community, is also affected by this issue. Fedora 17 and previous releases, also no longer supported, are not affected by this issue.
Fedora Release Engineering is currently regenerating AMIs and qcow2/kvm images to include the fix.
The Fedora Infrastructure team is working to assess any additional impact, and will update the community as we develop more information.
Thanks for your patience as we work on this issue.
ACKNOWLEDGMENTS: Special thanks to Dennis Gilmore for quickly providing package updates, and Major Hayden for providing the manual update guidance above.
-Robyn Bergeron
announce@lists.stg.fedoraproject.org