OpenSSL vulnerability (CVE-2014-0224)

[TrevorH]

Did you restart all services after applying the new version of theopenssl package?

[flangelier]

Thank for your answers Trevor!

I have another question...

when I type

Code: Select all

yum info openssl

, i get this output:

Installed Packages
Name : openssl
Arch : i686
Version : 0.9.8e
Release : 27.el5_10.3
Size : 3.4 M
Repo : installed
Summary : The OpenSSL toolkit
URL : http://www.openssl.org/
License : BSDish
Description: The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.

Name : openssl
Arch : x86_64
Version : 0.9.8e
Release : 27.el5_10.3
Size : 3.5 M
Repo : installed
Summary : The OpenSSL toolkit
URL : http://www.openssl.org/
License : BSDish
Description: The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.

I use centOS 5 and you said :

For CentOS 5 you should have
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1

So does that means that I have the "fixed version" or not?

I followed all the step you said for the upgrade but I'm not sure I have the "fixed version"

Thank for your help!

[TrevorH]

Version : 0.9.8e
Release : 27.el5_10.3

== 0.9.8e-27.el5_10.3

Using rpm -q openssl is much easier to read

[wolfeman]

This new version of the CentOS 6 openssl RPM has a dependency on make? The previous RPM did not... Was that intentional?

[TrevorH]

You're mistaken.

Code: Select all

# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.14.x86_64.rpm | grep make
make  
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.7.x86_64.rpm | grep make
make  
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.4.x86_64.rpm | grep make
make  
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.1.x86_64.rpm | grep make
make  
/etc/pki/tls/certs/make-dummy-cert
# rpm -qpl --requires /var/www/html/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.x86_64.rpm | grep make
make  
/etc/pki/tls/certs/make-dummy-cert

I don't have the 6.4 rpms lying around so cannot query them but as far as I remember, make has always been required as there is a Makefile shipped with it for creating your own certificates.

[avij]

6.5's openssl does indeed require the "make" package to be installed. 6.4 (including updates) did not. Yes, it is intentional.

[sachin3072004]

Hello,

I am a newbie. Please bear with me.
I am running Centos 5.2 and to get fix of CVE-2014-0224 I will need following RPMs.
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1
Am I right ?

If yes, then how can I get these RPMS.
I do not have yum installed on my machine.

Thanks
Sachin

[TrevorH]

If you're running CentOS 5.2 then you have far more serious problems than that openssl vulnerability. 5.2 was released in May 2008 so you are missing more than 6 years of security fix vulnerabilities.

If you don't have yum on your machine then it is not CentOS. Perhaps you need to peruse these wiki articles:

http://wiki.centos.org/AdditionalResources/OtherSpins
http://wiki.centos.org/TipsAndTricks/BrokenVserver

I suggest you contact your provider to find out if they can help you get up to a more recent update ASAP.

[rskotecha]

Hi,
I'm currently using openssl-1.0.0-4. I have to upgrade to 1.0.0m as per OpenSSL website. However, I don't see Openssl-1.0.0 related packages on centos mirror.
From where can I get it.

Thanks.

[TrevorH]

Please read post 2 of this thread for the versions that contain the fixes on CentOS 5 and 6.