[RESOLVED] openssl huge vulnerability and updated centos packages, i.e questions on updates

Support for security such as Firewalls and securing linux
Post Reply
fooman
Posts: 16
Joined: 2011/11/16 10:32:37

[RESOLVED] openssl huge vulnerability and updated centos packages, i.e questions on updates

Post by fooman » 2012/02/13 18:54:40

[size=120][color=000066][b]My noob question has been answered thanks to the excellent Moderator pschaff, and Pro Trevor from UK. Excellent folks, helping anyone and everryone regardless of their condition - im slow/add :[/color][/size][/b]

I just ran yum update on my server and from the centos updates repo, the latest version is 0.9.8e-20.el5_7.1.0.1.centos

This is concerning, because this version in the repos for base/updates and other repo is still using version 0.9.8e possibly updated version of 0.9.8e patched? from July 2011 because 0.9.8 has been around for 2+ years now and most distros moved on to 1.0.x.

A few days ago openssl was hit with more bad news as usual but dangerous remote attacks. Other distros already updated their repos to openssl-1.0.x thats patched or an updated release. Do we need to compile our own openssl or am I not doing something right on my box? I have the usual repos installed, rpmforge, epel, with yum priorities given to centos, and the rest last

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

[RESOLVED] openssl huge vulnerability and updated centos pac

Post by pschaff » 2012/02/13 19:05:55

Sounds rather [b]alarming[/b]!!! :-)

Apparently you are unfamiliar with [url=http://www.redhat.com/security/updates/backporting/]TUV's policy of backporting security patches[/url]. You can view the package [i]change log[/i] and look for the relevant [b]CVEs[/b]. Simply looking at the package version number in an Enterprise Linux OS is meaningless.

You can also google CVE numbers and add "site:redhat.com" to locate Redhat bugzilla entries for the problem. It may be that the issue is already patched, or that RHEL Release X (and thus CentOS-X) is not vulnerable because the particular feature is not enabled.

fooman
Posts: 16
Joined: 2011/11/16 10:32:37

Re: openssl huge vulnerability and updated centos packages, i.e version 1.0.0 to fix, where is it?

Post by fooman » 2012/02/13 19:21:25

Thanks for the swift response, and extra info for this noobster to read. Whats TUV btw? Im a self admitted centos n00b so my questions can vary from being weird to wth?

But prior to posting, I was checking my repos, and ran openssl version and saw
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

I checked the changelog on your links,
Changes between 0.9.8e and 0.9.8f [11 Oct 2007]

Im guessing most of the newer packages updated are centos 6 not centos 5. Doing a package search on google, centos 6 is running openssl 1.0.0.x but no new release or update for centos 5.

So I was concerned and had to ask my awesome friends here on the forum. Now skimming through the links, I have an understanding of version #'s on packages, but of openssl version says 0.9.8e its 0.9.8e.

The current package details doing another search shows
Name: openssl Distribution: CentOS-5
Version: 0.9.8e Vendor: CentOS
Release: 20.el5 Build date: Sun Aug 14 00:27:35 2011
Group: System Environment/Libraries Build host: builder10.centos.org

So is this build safe and thats why theres no new version or updated version since Aug 2011? ? When I have time im going to test my box and see but Im hoping it is, to save time.

The EOL on Centos5 is 5 years away but for the sake of security I might just move on to centos 6 just in case.

Thanks for the help, awaiting your reply

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl huge vulnerability and updated centos packages, i.e version 1.0.0 to fix, where is it?

Post by TrevorH » 2012/02/13 19:30:20

[quote]
but if openssl version says 0.9.8e its 0.9.8e.
[/quote]

Actually that's exactly the opposite of what it means. Redhat (TUV) backports security fixes from the current release to the older one and keeps the release number the same so CentOS 5 will have openssl 0.9.8e for its entire 10 year lifespan. You need to check the changelog of the rpm to see if your issue is fixed

[code]
rpm -q --changelog openssl | less
[/code]

fooman
Posts: 16
Joined: 2011/11/16 10:32:37

Re: openssl huge vulnerability and updated centos packages, i.e version 1.0.0 to fix, where is it?

Post by fooman » 2012/02/13 19:32:29

Skip some of my last post, I found answers for most of it just now

on redhats site, they say they have a patched version, openssl-0.9.8e-20.el5_7.1.src.rpm which helps syncs the info from the links you provided why version #'s are the way it is for multiple reasons.

]# rpm -qa | grep openssl
openssl-0.9.8e-20.el5_7.1

So indeed the repo has the updated version from Jan 2012 if you run yum update. I guess for us users, if we are paranoid about our servers, we would have to beat redhat to the punch for updates?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl huge vulnerability and updated centos packages, i.e version 1.0.0 to fix, where is it?

Post by TrevorH » 2012/02/13 19:35:47

Redhat are notified by responsible security researchers ahead of time so they have time to patch the code in advance of a public announcement. Usually the release of fixed rpms comes alongside the announcement of the vulnerability so patches are usually available at the same time as or within a day or so of the knowledge becoming public.

fooman
Posts: 16
Joined: 2011/11/16 10:32:37

Re: openssl huge vulnerability and updated centos packages, i.e version 1.0.0 to fix, where is it?

Post by fooman » 2012/02/13 19:36:24

Excellent. Im always trying to stay on top of security, and all my concerns has been layed to rest, RIP..

Thanks for the help! Love you pros, hugs and kisses. :lol:

fooman
Posts: 16
Joined: 2011/11/16 10:32:37

Re: [RESOLVED] openssl huge vulnerability and updated centos packages, . . .

Post by fooman » 2012/02/13 19:44:49

updated my title to not scare the other users new like me

TECK
Posts: 102
Joined: 2007/03/19 21:59:24
Location: Montreal, Canada

Re: [RESOLVED] openssl huge vulnerability and updated centos

Post by TECK » 2012/07/13 05:07:36

For those interested to upgrade OpenSSL to 1.0.1g, I've wrote a detailed tutorial how to do it in CentOS5:
https://www.axivo.com/resources/openssl-setup.2/
Last edited by TECK on 2014/05/14 02:38:35, edited 1 time in total.

Post Reply