CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

[peopleinside]

Hi,
there are update of OpenSSL available for fix this strong security issue?
Thanks.

[aks]

https://access.redhat.com/security/cve/cve-2016-2107

[TrevorH]

"Impact: Moderate"

Update to 6.8 and get openssl-1.0.1e-48.el6_8.1.x86_64

[asche]

hello,

i'm just wondering that the online tests
- https://filippo.io/CVE-2016-2107/
- http://www.ssllabs.com
say that my server is vulnerable.

I installed the latest updates und also restarted nginx.

Code: Select all

server:~$ rpm -q --changelog "openssl" | head -n 7
* Mo Mai 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
- fix CVE-2016-0799 - memory issues in BIO_printf

Code: Select all

server:~$ yum info openssl
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 48.el6_8.1
Size        : 4.0 M
Repo        : installed
From repo   : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

any idea?

[TrevorH]

Where did you get nginx from?

[asche]

Where did you get nginx from?

Thanks for the tip.
The nginx package came with an old openssl version.