Amazon Linux AMI Security Advisory: ALAS-2014-426
Advisory Release Date: 2014-10-14 23:34 Pacific
Bodo Moller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen.
We have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with updated openssl packages that fix CVE-2014-3566 .
For 2014.09 Amazon Linux AMIs, openssl-1.0.1i-1.79.amzn1 addresses this CVE. Running yum clean all followed by yum update openssl will install the fixed package.
For Amazon Linux AMIs "locked" to the 2014.03 repositories, openssl-1.0.1i-1.79.amzn1 also addresses this CVE. Running yum clean all followed by yum update openssl will install the fixed package.
For Amazon Linux AMIs "locked" to the 2013.09 or 2013.03 repositories, openssl-1.0.1e-4.60.amzn1 addresses this CVE. Running yum clean all followed by yum update openssl will install the fixed package.
If you are using a pre-2013.03 Amazon Linux AMI, we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.
Run yum update openssl to update your system. Note that you may need to run yum clean all first.