ALAS-2014-426


Amazon Linux AMI Security Advisory: ALAS-2014-426
Advisory Release Date: 2014-10-14 23:34 Pacific
Severity: Important
References: CVE-2014-3566 

Issue Overview:

Bodo Moller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen.

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf


Special notes:

We have backfilled our 2014.03, 2013.09, and 2013.03 Amazon Linux AMI repositories with updated openssl packages that fix CVE-2014-3566 .

For 2014.09 Amazon Linux AMIs, openssl-1.0.1i-1.79.amzn1 addresses this CVE. Running yum clean all followed by yum update openssl will install the fixed package.

For Amazon Linux AMIs "locked" to the 2014.03 repositories, openssl-1.0.1i-1.79.amzn1 also addresses this CVE. Running yum clean all followed by yum update openssl will install the fixed package.

For Amazon Linux AMIs "locked" to the 2013.09 or 2013.03 repositories, openssl-1.0.1e-4.60.amzn1 addresses this CVE. Running yum clean all followed by yum update openssl will install the fixed package.

If you are using a pre-2013.03 Amazon Linux AMI, we encourage you to move to a newer version of the Amazon Linux AMI as soon as possible.


Affected Packages:

openssl


Issue Correction:
Run yum update openssl to update your system. Note that you may need to run yum clean all first.

New Packages:
i686:
    openssl-1.0.1i-1.79.amzn1.i686
    openssl-debuginfo-1.0.1i-1.79.amzn1.i686
    openssl-perl-1.0.1i-1.79.amzn1.i686
    openssl-devel-1.0.1i-1.79.amzn1.i686
    openssl-static-1.0.1i-1.79.amzn1.i686

src:
    openssl-1.0.1i-1.79.amzn1.src

x86_64:
    openssl-debuginfo-1.0.1i-1.79.amzn1.x86_64
    openssl-static-1.0.1i-1.79.amzn1.x86_64
    openssl-perl-1.0.1i-1.79.amzn1.x86_64
    openssl-devel-1.0.1i-1.79.amzn1.x86_64
    openssl-1.0.1i-1.79.amzn1.x86_64