OpenSSL 1.0.1g fixes critical vulnerability

OpenSSL 1.0.1g packages are now available via Anaconda. These packages patch the “heartbleed” vulnerability described in CVE-2014-0160. This is a critical update and we strongly recommend that all Anaconda users - especially those in corporate or sensitive environments - follow the steps outlined here.

Versions Affected

Vulnerable OpenSSL versions are those from 1.0.1 to 1.0.1f inclusive. Version 1.0.1g and forward contain the fix. Other versions of OpenSSL not in the 1.0.1 release branch, such as 1.0.0 or 0.9.8 are not vulnerable.

Impact

As this vulnerability can be exploited in such a way to silently steal private keys from X.509 certificates, which are used by SSL/TLS to encrypt traffic, it is imperative that you update your conda environments immediately.

Updating

• To check if your conda environment has the vulnerable OpenSSL package, use the following command, substituting in your own environment name. If the output shows openssl 1.0.1c, you must update.

conda list -n ENVIRONMENT_NAME openssl

• To update a single conda environment, use the following command, substituting in your own environment name:

conda update -n ENVIRONMENT_NAME openssl

• To update all conda environments created in the default location, UNIX users can use the following command, which has been tested using both BSD and GNU awk:

conda info -e | \
awk 'NF && !/^[:space:]*#/{; print($1)}' | \ while read i ; do conda update -n "${i}" openssl ; done

• If you’ve created conda environments in non-standard directories, use the following, substituting in the absolute path to your conda environment:

conda update -p /absolute/path/to/your/environment openssl

• If you’re brave, you can remove the confirmation step by adding --yes to each of these commands.

Next Steps

Continuum will issue any subsequent updates as necessary to keep users safe.

We are currently building new Anaconda installers that include this fix, and will announce on our blog when they are available. Until then, please update new Anaconda installs using the steps outlined above immediately after installation completes.

UPDATE: Anaconda 1.9.2 was released on Wednesday, April 9th. It contains OpenSSL 1.0.1g, which fixes the heartbleed bug. ‘conda update anaconda’ can be used to update to this newest version and get the fix. All future new downloads of Anaconda from the site will contain this fix.

Tags: Product Update OpenSSL Anaconda conda Packaging