Security Notice for June 5th OpenSSL Vulnerability Disclosure
Time to read: 1 minute
June 05, 2014
Written by
Early Thursday, 5 June 2014, the OpenSSL team released an advisory detailing seven vulnerabilities affecting all maintained branches of OpenSSL. Our engineering team responded to the disclosure early this morning and completed the upgrade of our public-facing production infrastructure at 3:30 PM PDT.
All our public endpoints are upgraded to protect against CVE-2014-0224 and the other vulnerabilities disclosed today.
In addition, the versions of OpenSSL shipped with our Twilio Client SDKs for iOS and Android are upgraded and available here:
While we encourage our customers to upgrade to the latest versions of the Client SDKs as quickly as prudence demands, the upgrades to our public endpoints are sufficient to mitigate the vulnerability. No Twilio Client apps are currently vulnerable.
Like the previous OpenSSL disclosure in April, we advise all our customers to upgrade the production hosts for their Twilio applications. Patched versions of OpenSSL are available here or through your distribution’s package manager.
Further Resources For Help
For more information on this vulnerability, here are a few resources we found helpful:
- Original disclosure from the OpenSSL team
- Adam Langley’s analysis of the ChangeCipherSpec man-in-the-middle vulnerability.
- Masashi Kikuchi’s writeup on how he originally discovered the CCS vulnerability.
If you have any questions about this security notice, please reach out to our support team at help@twilio.com.
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.