OpenSSL antiquated

Support for security such as Firewalls and securing linux
Post Reply
Blackgato
Posts: 2
Joined: 2011/08/07 01:17:04
Contact:

OpenSSL antiquated

Post by Blackgato » 2011/08/07 01:30:50

I've been running into trouble with a server I need to meet PCI compliance. The version of OpenSSL that is in the yum updates for CentOS is antiquated and a security risk according to PCI compliance, yet the 1.0.0d version doesn't play nice using the ./config, nor does forcing the type with ./Configure linux-x86_64 (or elf or generic64)

Any Solutions?

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: OpenSSL antiquated

Post by AlanBartlett » 2011/08/07 03:01:20

[quote]
Blackgato wrote:
I've been running into trouble with a server I need to meet PCI compliance. The version of OpenSSL that is in the yum updates for CentOS is antiquated and a security risk according to PCI compliance, yet the 1.0.0d version doesn't play nice using the ./config, nor does forcing the type with ./Configure linux-x86_64 (or elf or generic64)

Any Solutions?[/quote]
Yes. Please express your muddled opinion to the [b]Upstream Vendor[/b] ([url=http://www.redhat.com]Red Hat, Inc.[/url]) and stop using a so-called "service" provided by an ill-informed entity.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL antiquated

Post by TrevorH » 2011/08/07 03:53:21

Did you try running

[code]
rpm -q --changelog openssl | grep -i cve
[/code]

and see if the particular CVE entries that you are interested in are listed there? Redhat make a point of [b]not[/b] upgrading the version numbers of the packages that they ship for the lifetime of the distribution but they do backport security fixes to the code so a Redhat version number may easily have more recent security bugs fixed than might be deduced just from looking at the version number.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

OpenSSL antiquated

Post by pschaff » 2011/08/07 11:21:22

[quote]
Blackgato wrote:
I've been running into trouble with a server I need to meet PCI compliance. The version of OpenSSL that is in the yum updates for CentOS is antiquated and a security risk according to PCI compliance, yet the 1.0.0d version doesn't play nice using the ./config, nor does forcing the type with ./Configure linux-x86_64 (or elf or generic64)

Any Solutions?[/quote]

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

An ill-conceived attempt at a [url=http://wiki.centos.org/PackageManagement/SourceInstalls]Source Install[/url] is definitely not a solution.

You fail to understand the nature of an [url=http://www.google.com/search?q=Enterprise+Linux&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a]Enterprise Linux[/url] distribution that emphasizes stability and [i][b]real[/b][/i] security over meaningless version numbers. Please read about the upstream policy of [url=https://access.redhat.com/security/updates/backporting/?sc_cid=3093]Backporting security fixes[/url].

You may also want to read:

[url=http://wiki.centos.org/FAQ/General#head-472ce8446ebcfc82ca1800f775ba0e629ac835c7]FAQ#20. Where can I get the latest version of XyZ.rpm for CentOS? I cannot find it anywhere.[/url]

pza81
Posts: 33
Joined: 2007/07/10 08:02:35
Contact:

Re: OpenSSL antiquated

Post by pza81 » 2011/08/23 07:22:24

[quote]pschaff wrote:
You fail to understand the nature of an [url=http://www.google.com/search?q=Enterprise+Linux&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a]Enterprise Linux[/url] distribution that emphasizes stability and [i][b]real[/b][/i] security over meaningless version numbers. Please read about the upstream policy of [url=https://access.redhat.com/security/updates/backporting/?sc_cid=3093]Backporting security fixes[/url].
[/quote]
I agree with you there pschaff, but unfortunately CentOS 6 is far behind on critical security updates, so can't really be used in a security conscious enterprise. I could make a very long list of outstanding security fixes, but to keep on thread, I'll limit it to outstanding openssl vulnerabilities:
https://www.redhat.com/security/data/cve/CVE-2011-0014.html
https://www.redhat.com/security/data/cve/CVE-2010-4180.html

Post Reply