Thursday, September 22, 2016

Security notification: OpenSSL OCSP Status Request Extension Unbounded Memory Growth (CVE-2016-6304)


[UPDATE 2016-10-13]

BCH images have been updated properly. You can now launch new servers that mitigate the vulnerability.

[UPDATE 2016-10-07]

All the affected cloud images, virtual machines and native installers have been successfully patched.

If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide below while we upgrade the base images.

[UPDATE 2016-09-26]

The OpenSSL team announced the release of version 1.0.2j, which patches a missing CRL sanity check issue affecting only version 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. (CVE-2016-7052)

To update to the new OpenSSL version, please follow the instructions in our documentation system. 

The Bitnami Team will continue working on updating the Cloud Images, Virtual Machines and Native Installers using the latest released version.

[UPDATE 2016-09-23]

The Bitnami Team is happy to announce that our images on Google, Azure, Oracle (Ubuntu) and AWS Marketplace images have been properly updated. Additionally, we will continue to work on releasing the images for our all of our cloud platform partners, virtual machines and the native installers.

----

A new security vulnerability was recently discovered in certain versions of OpenSSL. More information about the vulnerability is available on the OpenSSL website: https://www.openssl.org/news/secadv/20160922.txt

Any Bitnami-packaged applications using affected OpenSSL versions prior to 1.0.1u, 1.0.2i and 1.1.0a are vulnerable. 

To secure your server, you need to update the OpenSSL version included in the system and the OpenSSL library included into the Bitnami installation. Please take a moment to update your existing installations of Bitnami-packaged applications by following the instructions in our documentation system

If you have any questions about this process, please post to our community support forum and we will be happy to help!