Tuesday, May 3, 2016

Security notification: OpenSSL 1.0.2h / 1.0.1t

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160503.txt

There are two high security issues that do not affect Bitnami installations:

1. Memory corruption in the ASN.1 encoder (CVE-2016-2108).

  • All of the currently released Bitnami stacks use an OpenSSL version greater than the affected versions: 1.0.2c or 1.0.1o.

2. Padding oracle in AES-NI CBC MAC check (CVE-2016-2107). 

  • The OpenSSL we ship with the Bitnami installers, virtual machines and cloud images does not enable AES-NI encryption.

The Bitnami team will continue working on updating OpenSSL to 1.0.2h for all Bitnami apps, however, to be clear, the two security issues above do not affect our applications that are currently available.