Page 1 of 1

When I can apply announced on March 19 of openssl in CentOS5

Posted: 2015/03/25 01:21:13
by cestlavie01
Hi, team.

I want to patch the new release version has been applied openssl to centOS 5.x.
However, the final version of openSSL of current CentOS 5.X is 0.9.8e-32_el5_11.
Signature is a January 13, 2015.

The CVE-2015-0293 openssl that has been modified to be worried about when I can patch.

Adieu.

Re: When I can apply announced on March 19 of openssl in Cen

Posted: 2015/03/25 01:29:02
by TrevorH
All of the CVEs that are applicable to CentOS 5 are ranked as "Moderate" or lower impact. As CentOS 5 is now in production phase 3 of its lifetime, only fixes of important or critical impact are being issued by Redhat so this will not be patched as far as I know. You can see more on https://access.redhat.com/articles/1384453

Re: When I can apply announced on March 19 of openssl in Cen

Posted: 2015/03/25 02:00:30
by cestlavie01
TrevorH wrote:All of the CVEs that are applicable to CentOS 5 are ranked as "Moderate" or lower impact. As CentOS 5 is now in production phase 3 of its lifetime, only fixes of important or critical impact are being issued by Redhat so this will not be patched as far as I know. You can see more on https://access.redhat.com/articles/1384453
If redhat does not patch, individuals can be used to build a openssl?

Re: When I can apply announced on March 19 of openssl in Cen

Posted: 2015/03/25 09:16:59
by TrevorH
Really really not recommended. Did you read the redhat link I posted?

Re: When I can apply announced on March 19 of openssl in Cen

Posted: 2015/03/25 09:49:18
by cestlavie01
TrevorH wrote:Really really not recommended. Did you read the redhat link I posted?
appreciate the advice.

I read the link page.
However, I think did not solve the problem. So I was forced to try to do a patch.
If as the Red Hat said, if too trivial problem, I do not have the action.
Is this the correct behavior?

Re: When I can apply announced on March 19 of openssl in Cen

Posted: 2015/03/25 12:19:47
by toracat
Because of the upstream policy, openssl is not the only security patch that was not released for CentOS 5. See this post by Johnny Hughes for more details and his recommendation.

Re: When I can apply announced on March 19 of openssl in Cen

Posted: 2015/03/26 01:38:15
by cestlavie01
toracat wrote:Because of the upstream policy, openssl is not the only security patch that was not released for CentOS 5. See this post by Johnny Hughes for more details and his recommendation.
thanks, toracat.

I read the link page.
In summary, if we want supported the security issue that will be raised a CentOS version?
Have no choice...

Re: When I can apply announced on March 19 of openssl in Cen

Posted: 2015/04/18 07:17:35
by avij
For the record, there is now an updated OpenSSL for CentOS 5 as well.

You should still start planning to switch to a newer version of CentOS.