Late last week, a new security vulnerability (CVE-2015-1793) was disclosed in the most recent versions of the OpenSSL package. While there was some initial alarm on the internet about this, a calm assessment leads us to state that there is no reason for QRIScloud users to be concerned.
The only mainstream Linux distributions that vulnerable are Fedora 21 and Fedora 22:
- Current and older distributions of CentOS, Scientific Linux, Ubuntu and Debian do not use the vulnerable versions of OpenSSL.
- Fedora is not used in QRIScloud infrastructure.
- Few QRIScloud users use Fedora in their NeCTAR instances.
- Security patches for Fedora 21 and 22 are now available through the normal updates channel. (Just run "sudo yum update", and then reboot your instance.)
In addition, we understand that this vulnerability has little impact on the way that SSL is normally used. In particular, it presents no risk of break-in to your instances, even if you are running Fedora.
In short, there is no need to worry. We simply recommend that you apply security patches to your NeCTAR instances regularly. (If you haven't done this recently, now would be a good time.)