openssl security risk

Support for security such as Firewalls and securing linux
Post Reply
fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

openssl security risk

Post by fredvps » 2015/05/26 10:45:42

The latest openssl I can get from yum is 1.0.1e which is a known security risk.
I believe the latest openssl is 1.0.1g

can you make the latest openssl available please.
while I chose centos because of the enterprise nature I think openssl needs to be
kept permanently up to date as a matter of course.

thanks

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl security risk

Post by TrevorH » 2015/05/26 11:07:37

It is. Please read https://access.redhat.com/security/updates/backporting for information on how security fixes are backported from the current codebase to the one shipped by RHEL/CentOS.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

Re: openssl security risk

Post by fredvps » 2015/05/26 15:06:49

Thanks for the information Trevor.
It seems the dumbest way to update software possible to implement to me.

Is there somewhere I can go to see at a glance exactly what version of openssl I actually have installed?
And just as pointy - who when and where and why it was last modified?

thanks

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: openssl security risk

Post by stevemowbray » 2015/05/26 15:16:08

rpm -q --changelog openssl | less

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl security risk

Post by TrevorH » 2015/05/26 17:30:26

The point is that new versions from upstream people often include a shed load of new functionality and, often, changes in the way things operate. The way that RH backport security fixes means that you can predict that no new functions (introducing broken features or new security bugs) will be brought in and only the fix for the actual issue is present. The software continues to work in the same same and interoperate with the other packages in the same way.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

Re: openssl security risk

Post by fredvps » 2015/05/27 11:00:32

Thanks guys - I understand the issues now however the situation is still far from good.
I shouldn't need to understand the issues of backporting but I do need to know what I have installed.

How about renaming a backported file - say "openssl-V1.0.1e-backport-tolevel-1.0.1g.rpm" or whatever
level it is.
That would make it all instantly clear.
For most software I don't expect it is too much of a problem but for SSL I'd suggest more care is needed.

Even running steve's CVE suggestion I dont know what level of fix that gives me without spending a week trawling
through bugfix docs. And SSL is a crucial but very tiny part of my working day - I just don't have time for that.
I need to rely on something fast and simple when a security issue is flagged.

Is the current one at g level or not - I still don't know.

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: openssl security risk

Post by stevemowbray » 2015/05/27 15:42:42

If you've done a "yum update" then you will have all the security fixes currently released.

Naming of packages is a matter for Red Hat, CentOS just rebuilds what they provide.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: openssl security risk

Post by avij » 2015/05/27 15:55:48

To specifically answer your question: No, you don't have 1.0.1g. You have 1.0.1e, with some cherry-picked fixes from later versions. This is the idea of backporting, and the reason why the version string stays as 1.0.1e.

As far as I'm aware, all the known vulnerabilities have been taken care of in the latest openssl builds. If you are concerned about some specific CVE, you can do a rpm -q --changelog openssl | grep CVE to see if that CVE has been taken care of. Please also note that not all vulnerabilities affect RH's version of OpenSSL, for various reasons. Perhaps the vulnerable feature has not been compiled in, for example. I usually go to bugzilla.redhat.com and enter the CVE to the search box to see the details.

What you may not have fully understood yet is that bumping the version is not always a clear cut case. For example, a newer version of some software may have stopped supporting some command line option or a configuration directive. RH avoids this problem by backporting only the required changes, while making sure the changes won't break anyone's expectations. There are many systems out there that run "yum update" automatically every night. Imagine the sysadmin reactions if an update breaks something and they end up with a dozen broken webservers that need to be fixed immediately. This is the "enterprise" aspect of things.

Post Reply