Page 1 of 1

openss 1.3.2

Posted: 2012/04/19 21:03:27
by rvakili
Hi All,

I, am sure, you are aware of the Multiple vulnerabilities were reported in the ASN.1 parsing code in OpenSSL. I am wondering as how to update my openssl.

With many thanks in advance.

openss 1.3.2

Posted: 2012/04/19 23:43:53
by pschaff
Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

[url=http://wiki.centos.org/FAQ/General#head-472ce8446ebcfc82ca1800f775ba0e629ac835c7]FAQ#20. Where can I get the latest version of XyZ.rpm for CentOS? I cannot find it anywhere.[/url]

Pay attention to the part about backporting.

Re: openss 1.3.2

Posted: 2012/04/20 00:57:21
by TrevorH
I can't see any vulnerabilities in the ASN.1 parsing in openssl listed [url=http://www.openssl.org/news/vulnerabilities.html]here[/url] newer than 2009 and they're fixed in openssl 0.9.8k so CentOS 6 is not vulnerable with its openssl-1.0.0-20.el6_2.3 package. On CentOS 5 you can check for specific CVE numbers by running, e.g.

[code]
$ rpm -q --changelog openssl | grep CVE-2009-0590
- fix CVE-2009-0590 - reject incorrectly encoded ASN.1 strings (#492304)
$ rpm -q openssl
openssl-0.9.8e-22.el5_8.1
[/code]