openssl 1.0.1e "Heartbleed" CentOS 6.5 vulnerability status

Support for security such as Firewalls and securing linux
Post Reply
User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

openssl 1.0.1e "Heartbleed" CentOS 6.5 vulnerability status

Post by TrevorH » 2014/04/08 21:26:47

CVE-2014-0160 describes a serious problem in openssl releases > 1.0.0 and fixed in 1.0.1g.

All versions of CentOS 5 and CentOS 6 are not vulnerable to this problem except CentOS 6.5. CentOS 6.5 introduced this problem when openssl was rebased from 1.0.0 to 1.0.1e. Fixed packages containing a backported patch were released overnight 2014/04/08 and should have replicated to all CentOS mirrors by now. All users of CentOS 6.5 should `yum update openssl` and check that they subsequently have openssl-1.0.1e-16.el6_5.7 or higher installed. If the package is updated then you should check which services are using it by running

Code: Select all

lsof -n | grep ssl | grep -i del
This will list the processes that still use the (now deleted) libssl libraries and anything that is listed should be restarted (or a reboot performed).

Anyone who is using mod_spdy from Google is advised that it appears that this module has static copies of the affected openssl code embedded in it and until such time as they release a new version, anyone using mod_spdy on their web server is still vulnerable even if they have openssl-1.0.1e-16.el6_5.7 installed. A recent post here says that they have updated it to fix the problem. Users of mod_spdy should update ASAP.

It's also reported that OpenVPN AS Server prior to version 2.0.6 is vulnerable. This is not a CentOS supplied package but a download specifically from openvpn.org.

It is unknown if there are exploits in use in the wild prior to the fix being released and if you have services using TLS exposed to the internet then you should consider having your SSL certificate provider revoke and reissue your SSL certificate using a new key.

Again, users of CentOS 5 (all versions) and CentOS 6 prior to 6.5 are unaffected by this vulnerability. The vulnerability was introduced by the openssl-1.0.1e packages that were introduced with the release of 6.5 (specifically, openssl versions from 1.0.1e-15.el6 through 1.0.1e-16.el6_5.4).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl 1.0.1e "Heartbleed" CentOS 6.5 vulnerability sta

Post by TrevorH » 2014/06/22 03:13:39

Topic now unlocked and removed from sticky list since the fuss about heartbleed has now died down.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply