SECURITY UPDATE

Summary:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing theinformation protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Status:

Amazon has confirmed that all vulnerable hosted services have been patched against the heartbleed bug. All SSL certificates and private keys for the *.instructure.com top level domain were replaced at 12:00 PM MT on April 10, 2014. We continue to work with organizations that have "vanity" URLS (e.g. canvas.organization-name.com) to replace their SSL certificates and private keys.

Further Information:

http://heartbleed.com/

http://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)

http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)

http://heartbleed.com (published 7th of April 2014, ~19:00 UTC)

http://www.ubuntu.com/usn/usn-2165-1/

http://www.freshports.org/security/openssl/

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

https://rhn.redhat.com/errata/RHSA-2014-0376.html

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.

https://lists.fedoraproject.org/pipermail/announce/2014-April/00320.

http://www.kb.cert.org/vuls/id/720951

https://www.cert.fi/en/reports/2014/vulnerability788210.html

https://www.cert.at/warnings/all/20140408.html

http://www.circl.lu/pub/tr-21/