New OpenSSL patch due tomorrow, do I need to update??

[cb_vyke]

Hi guys, seems there's another OpenSSL patch release tomorrow for another vulnerability. I'm currently running OpenSSL version 1.0.1e-fips but can not clearly determine if this version needs updating? Can anyone advise? I'm assuming 1.0.1p covers all versions of 1.0.1, so take it I need to update? Also when would any updates be released by the Centos community?
Security advisory and anouncements below...
http://searchsecurity.techtarget.com/ne ... src=901674
https://mta.openssl.org/pipermail/opens ... 00037.html

Thanks.

[TrevorH]

We don't yet know as the details of the vulnerability are secret until tomorrow. Once the embargo on the details is lifted the procedure will be that we wait until Redhat patch and release their packages for RHEL5, 6 and 7. Once the SRPMs (or git for el7) are published then they will be downloaded by the CentOS devs and rebuilt for the relevant CentOS versions and then tested and pushed to the mirror network. The mirror network will then replicate round the world and the packages will be available once they hit the particular mirror that your copy of yum chooses.

The maintainers at Redhat almost certainly have knowledge of the details of the vulnerability already but they are under NDA until the embargo on releasing the details is lifted. Once that happens, we are dependent on Redhat making the fixed p ackages available. Once they are available, they need to be rebuilt which takes somewhere between minutes and hours depending on the size of the package and how long it takes. The resulting binary packages are then tested to make sure they install and appear to function and then they are signed and pushed to the master mirror servers.

I suspect the vulnerability is not applicable to CentOS 5 as the openssl announcement that you linked to says it does not apply to 0.9.8 and that's what CentOS 5 uses. Both CentOS 6 and 7 use 1.0.1e and the fix will be backported from whatever openssl release to that version in common with the normal Redhat backporting process detailed https://access.redhat.com/security/updates/backporting

[cb_vyke]

Ok, thanks TrevorH.
So seems we just watch this space for now....

[aks]

It's quite a tough call.
In one hand you're developing open software where all problems should be out in the open. On the other hand, there are people whom may exploit the problem as soon as they know about it - and if it's all public they may know about it as soon as they look at the public forums/comments etc...
I'm not yet sure of the origins of the problem, but kudos to the OpenSSL team (who have had a lot of unnecessary crap thrown at them of late) for taking the "middle road".

[TrevorH]

So the update is out and the Redhat page behind the paywall apparently says that no action is required as no Redhat products are affected. This applies equally to CentOS.

https://access.redhat.com/solutions/1523323