Amazon Linux AMI Security Advisory: ALAS-2014-320
Advisory Release Date: Apr 7, 2014
References: CVE-2014-0160, OpenSSL upstream notification, heartbleed.com
A missing bounds check was found in the way OpenSSL handled TLS heartbeat extension packets. This flaw could be used to reveal up to 64k of memory from a connected client or server.
Any Amazon Linux AMI on which openssl 1.0.1 is installed, which is any Amazon Linux AMI 2013.03 or later, and any Amazon Linux AMI that has upgraded to 2013.03 or later. OpenSSL is installed by default on the Amazon Linux AMI.
Run yum update openssl to update your system. Once the new package is installed, it is required that you either manually restart all services that are using openssl, or that you reboot your instance. While the new package is still named openssl-1.0.1e, it does contain the fix for CVE-2014-0160.