OpenSSL vulnerability (CVE-2014-0224)
-
- Posts: 10
- Joined: 2014/11/19 19:30:22
Re: OpenSSL vulnerability (CVE-2014-0224)
httpd (Apache) was restarted before the scans.
As for the locate command, I am on a different machine not on the ACL so can't run the command, but i see libel.so.4 & libssl.so.6 in in /lib and /lib64 in the file system.
Much appreciate giving your attention to this!..
S.
As for the locate command, I am on a different machine not on the ACL so can't run the command, but i see libel.so.4 & libssl.so.6 in in /lib and /lib64 in the file system.
Much appreciate giving your attention to this!..
S.
-
- Posts: 10
- Joined: 2014/11/19 19:30:22
Re: OpenSSL vulnerability (CVE-2014-0224)
Also openssl helper service was restarted as well.
Re: OpenSSL vulnerability (CVE-2014-0224)
We'd need the info about libssl from the machine itself. The idea is to find copies of openssl that have been installed outside the package management system and that might be being picked up in preference to the system supplied copy.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 10
- Joined: 2014/11/19 19:30:22
Re: OpenSSL vulnerability (CVE-2014-0224)
I see.
Below is the output from the command.
====================================
root@mail [~]# locate libssl.so
/lib/.libssl.so.0.9.8e.hmac
/lib/.libssl.so.6.hmac
/lib/libssl.so.0.9.8e
/lib/libssl.so.4
/lib/libssl.so.6
/lib64/.libssl.so.0.9.8e.hmac
/lib64/.libssl.so.6.hmac
/lib64/libssl.so.0.9.8e
/lib64/libssl.so.4
/lib64/libssl.so.6
/usr/lib/libssl.so
/usr/lib64/libssl.so
==================================
Does it look like something is in the way of the latest patch?
Thank you very much for your help.
S.
Below is the output from the command.
====================================
root@mail [~]# locate libssl.so
/lib/.libssl.so.0.9.8e.hmac
/lib/.libssl.so.6.hmac
/lib/libssl.so.0.9.8e
/lib/libssl.so.4
/lib/libssl.so.6
/lib64/.libssl.so.0.9.8e.hmac
/lib64/.libssl.so.6.hmac
/lib64/libssl.so.0.9.8e
/lib64/libssl.so.4
/lib64/libssl.so.6
/usr/lib/libssl.so
/usr/lib64/libssl.so
==================================
Does it look like something is in the way of the latest patch?
Thank you very much for your help.
S.
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: OpenSSL vulnerability (CVE-2014-0224)
libssl.so.4 is not a CentOS library.
-
- Posts: 10
- Joined: 2014/11/19 19:30:22
Re: OpenSSL vulnerability (CVE-2014-0224)
A more extensive search found one more file, not a directory.
/usr/lib64/libssl.so.1.0.0 463517 bytes
/usr/lib64/libssl.so.1.0.0 463517 bytes
-
- Posts: 10
- Joined: 2014/11/19 19:30:22
Re: OpenSSL vulnerability (CVE-2014-0224)
gerald_clark wrote:libssl.so.4 is not a CentOS library.
Could it be the cause of the patch not sticking?
Re: OpenSSL vulnerability (CVE-2014-0224)
You have at least two rogue copies of libssl.so installed there that should not be part of a CentOS 5 system. Neither /lib/libssl.so.4 nor /lib64/libssl.so.4 nor /usr/lib64/libssl.so.1.0.0 are CentOS supplied and all are possibly vulnerable. You should run rpm -qf /usr/lib64/libssl.so.1.0.0 (repeat for all 3 files) and see if they belong to a package and if they do, either seek newer copies of that package or remove it. If they're not owned by any package then I do not know how you go about testing but I would rename them all and see what breaks. What damage that breakage might cause is unknown but with a rename you can always put it back if necessary while you seek a better solution.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 10
- Joined: 2014/11/19 19:30:22
Re: OpenSSL vulnerability (CVE-2014-0224)
Thank you very much for the help. This is looking promising.
It appears httpd is using /usr/lib64/libssl.so.1.0.0, so it won't start without it.
I had to keep it in place for now.
If /usr/lib64/libssl.so.1.0.0 is indeed a wrong module, how do I update that to point to the latest patch?
Many many thanks!
S.
It appears httpd is using /usr/lib64/libssl.so.1.0.0, so it won't start without it.
I had to keep it in place for now.
If /usr/lib64/libssl.so.1.0.0 is indeed a wrong module, how do I update that to point to the latest patch?
Many many thanks!
S.
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: OpenSSL vulnerability (CVE-2014-0224)
The CentOS supplied httpd uses the CentOS supplied openssl.
Where did you get your httpd?
Are you running a control panel?
Where did you get your httpd?
Are you running a control panel?