heartbleed openssl bug, need 1.0.1g openssl version

[underdogsoftware]

Any problem with manually compiling openssl as follows:

cd /usr/src
wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz

tar -zxf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config
make
make test
make install

openssl version

If it shows old version do the steps below.

mv /usr/bin/openssl /root/
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

[TrevorH]

Volox:

You have CentOS 5 which does not have a vulnerable openssl in the first place. The bug only affects 1.0.1+

[TrevorH]

underdogsoftware: yes, big problems. You should never compile from source on a packaged distribution like CentOS and definitely not something as system critical as openssl. Besides, it is pointless, the bug is fixed in the CentOS repos and the patch has been available for about 2 days now. You just need to `yum update openssl` and get openssl-1.0.1e-16.el6_5.7 installed. End of problem.

Throw your source install away.

[tdemers]

I have Centos 6.5 and I have done the following :
I made sure that under the [updates] section in /etc/yum.repos.d/Centos-Base.repo had "enabled=1"
yum update
yum update openssl

After doing this when I type: openssl version it says OpenSSL 1.0.1e-fips 11 Feb 2013

What am I not doing?

[avij]

tdemers: The OpenSSL version string itself has not changed and is perfectly fine. RedHat has backported the Heartbeat patch which will not affect the actual OpenSSL version string.

To check that you have the correct openssl, run "rpm -q openssl". It should output openssl-1.0.1e-16.el6_5.7.<architecture>. After you have confirmed that you have the correct openssl, restart all the services that depend on openssl, or simply reboot your server.

[tdemers]

tdemers: The OpenSSL version string itself has not changed and is perfectly fine. RedHat has backported the Heartbeat patch which will not affect the actual OpenSSL version string.

To check that you have the correct openssl, run "rpm -q openssl". It should output openssl-1.0.1e-16.el6_5.7.<architecture>. After you have confirmed that you have the correct openssl, restart all the services that depend on openssl, or simply reboot your server.

Thank you very much avij for your quick response! rpm -q openssl does say openssl-1.01.1e-16.el6_5.7.x86_64....yay!

[redtaped]

I'm trying to use yum update openssl, and I'm getting some errors under "Transaction Check Error". I've searched the internet, and don't know how to solve this. I don't have any 386 programs installed, and I've tried changing repos and cleaning... but the problem persists. Any help would be greatly appreciated!

[root@u15893291 yum.repos.d]# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* remi: mirrors.mediatemple.net
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1c-1.el6 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================
Updating:
openssl x86_64 1.0.1e-16.el6_5.7 updates 1.5 M

Transaction Summary
===================================================================================================================================
Upgrade 1 Package(s)

Total size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test


Transaction Check Error:
file /etc/pki/tls/openssl.cnf from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/libssl.so.10 from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/lib4758cca.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libaep.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libatalla.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libcapi.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libchil.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libcswift.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libgmp.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libnuron.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libpadlock.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libsureware.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64
file /usr/lib64/openssl/engines/libubsec.so from install of openssl-1.0.1e-16.el6_5.7.x86_64 conflicts with file from package openssl-libs-1.0.1c-1.el6.x86_64

[avij]

redtaped: See viewtopic.php?f=13&t=45839 for discussion about the conflicting non-CentOS package openssl-libs.

[TrevorH]

I think you will need to use the `yum shell` command to remove those axivo packages and install the correct CentOS ones in a single transaction. To do this (I am making this up as I go along so please be careful!) you need to use `rpm -qa openssl\*` and obtain a list of the currently installed packages. Now use `yum list available openssl\*` to find the CentOS versions of those and their names and match up what you have installed now with what's available from CentOS. The openssl-libs package is part of openssl itself on CentOS. Then you run yum shell and do something like

Code: Select all

remove openssl openssl-libs openssl-the-other...
install openssl
run

Then stand back and pray to &deity and hope that it works!

I fired up a VM and tested this. It works for me. I grabbed the latest axivo rpms for openssl and openssl-libs and installed those over the top of the CentOS supplied (and already fixed) openssl-1.0.1e-16.el6_5.7.x86_64. Then I ran `yum shell` and typed

Code: Select all

remove openssl openssl-libs
install openssl
run

It downloads the CentOS package, removes the axivo ones, installs the CentOS one and completes without error.

[redtaped]

Thank you TrevorH. Unfortunately, being the stupid man I am, I had difficulty removing openssl-libs etc... so I removed them using rpm -e --nodeps.
That was a big mistake, and now yum doesn't work, looking for libcrypto.so.10.

This is outside the scope of this forum, and from my research it seems like I'm going to have to do a wipe/re-install.