OpenSSL vulnerability (CVE-2014-0224)
Re: OpenSSL vulnerability (CVE-2014-0224)
Did you restart all services after applying the new version of theopenssl package?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2014/06/06 13:36:58
Re: OpenSSL vulnerability (CVE-2014-0224)
Thank for your answers Trevor!
I have another question...
when I type, i get this output:
I followed all the step you said for the upgrade but I'm not sure I have the "fixed version"
Thank for your help!
I have another question...
when I type
Code: Select all
yum info openssl
I use centOS 5 and you said :Installed Packages
Name : openssl
Arch : i686
Version : 0.9.8e
Release : 27.el5_10.3
Size : 3.4 M
Repo : installed
Summary : The OpenSSL toolkit
URL : http://www.openssl.org/
License : BSDish
Description: The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
Name : openssl
Arch : x86_64
Version : 0.9.8e
Release : 27.el5_10.3
Size : 3.5 M
Repo : installed
Summary : The OpenSSL toolkit
URL : http://www.openssl.org/
License : BSDish
Description: The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
So does that means that I have the "fixed version" or not?For CentOS 5 you should have
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1
I followed all the step you said for the upgrade but I'm not sure I have the "fixed version"
Thank for your help!
Re: OpenSSL vulnerability (CVE-2014-0224)
== 0.9.8e-27.el5_10.3Version : 0.9.8e
Release : 27.el5_10.3
Using rpm -q openssl is much easier to read
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenSSL vulnerability (CVE-2014-0224)
This new version of the CentOS 6 openssl RPM has a dependency on make? The previous RPM did not... Was that intentional?
Re: OpenSSL vulnerability (CVE-2014-0224)
You're mistaken.
I don't have the 6.4 rpms lying around so cannot query them but as far as I remember, make has always been required as there is a Makefile shipped with it for creating your own certificates.
Code: Select all
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.14.x86_64.rpm | grep make
make
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.7.x86_64.rpm | grep make
make
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.4.x86_64.rpm | grep make
make
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.1.x86_64.rpm | grep make
make
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.x86_64.rpm | grep make
make
/etc/pki/tls/certs/make-dummy-cert
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenSSL vulnerability (CVE-2014-0224)
6.5's openssl does indeed require the "make" package to be installed. 6.4 (including updates) did not. Yes, it is intentional.
-
- Posts: 1
- Joined: 2014/06/16 02:01:45
Re: OpenSSL vulnerability (CVE-2014-0224)
Hello,
I am a newbie. Please bear with me.
I am running Centos 5.2 and to get fix of CVE-2014-0224 I will need following RPMs.
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1
Am I right ?
If yes, then how can I get these RPMS.
I do not have yum installed on my machine.
Thanks
Sachin
I am a newbie. Please bear with me.
I am running Centos 5.2 and to get fix of CVE-2014-0224 I will need following RPMs.
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1
Am I right ?
If yes, then how can I get these RPMS.
I do not have yum installed on my machine.
Thanks
Sachin
Re: OpenSSL vulnerability (CVE-2014-0224)
If you're running CentOS 5.2 then you have far more serious problems than that openssl vulnerability. 5.2 was released in May 2008 so you are missing more than 6 years of security fix vulnerabilities.
If you don't have yum on your machine then it is not CentOS. Perhaps you need to peruse these wiki articles:
http://wiki.centos.org/AdditionalResources/OtherSpins
http://wiki.centos.org/TipsAndTricks/BrokenVserver
I suggest you contact your provider to find out if they can help you get up to a more recent update ASAP.
If you don't have yum on your machine then it is not CentOS. Perhaps you need to peruse these wiki articles:
http://wiki.centos.org/AdditionalResources/OtherSpins
http://wiki.centos.org/TipsAndTricks/BrokenVserver
I suggest you contact your provider to find out if they can help you get up to a more recent update ASAP.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenSSL vulnerability (CVE-2014-0224)
Hi,
I'm currently using openssl-1.0.0-4. I have to upgrade to 1.0.0m as per OpenSSL website. However, I don't see Openssl-1.0.0 related packages on centos mirror.
From where can I get it.
Thanks.
I'm currently using openssl-1.0.0-4. I have to upgrade to 1.0.0m as per OpenSSL website. However, I don't see Openssl-1.0.0 related packages on centos mirror.
From where can I get it.
Thanks.
Re: OpenSSL vulnerability (CVE-2014-0224)
Please read post 2 of this thread for the versions that contain the fixes on CentOS 5 and 6.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke