Trying to install mod_ssl on 5.5 and yum is broken

General support questions including new installations
mdiehl
Posts: 1
Joined: 2018/01/26 21:51:33

Trying to install mod_ssl on 5.5 and yum is broken

Postby mdiehl » 2018/01/26 21:59:36

Hi all,

I just inherited the support task for a CentOs 5.5 server. Now the customer needs Apache mod_ssl installed.

Of course the repo is broken. I know that.

I've modified /etc/yum.repos.d/CentOS-Base.repo and pointed it to a different version on vault. Still can't do a yum install mod_ssl

Here is my /etc/yum.repos.d/CentOS-Base.repo:

===================================
[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://vault.centos.org/5.11/os/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
baseurl=http://vault.centos.org/5.11/os/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
#baseurl=http://mirror.centos.org/centos/$releasever/addons/$basearch/
baseurl=http://vault.centos.org/5.11/os/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
baseurl=http://vault.centos.org/5.11/os/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
baseurl=http://vault.centos.org/5.11/os/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
baseurl=http://vault.centos.org/5.11/os/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
===================================

I _THINK_ I did this right....

Any other suggestions?

Thanks in advance,

Mike Diehl.

User avatar
avij
Forum Moderator
Posts: 2273
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Trying to install mod_ssl on 5.5 and yum is broken

Postby avij » 2018/01/27 21:59:04

You need to comment out all mirrorlist=... rows. Additionally, all the repositories should have a different path. For example, your [updates} repository points to http://vault.centos.org/5.11/os/x86_64/ even though it should point to http://vault.centos.org/5.11/updates/x86_64/

Also, you should be aware that it's fairly irresponsible to deploy EOL software. At least the following CVEs may apply to you:
CentOS 7 mod_ssl changelog wrote:* Tue Sep 19 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-67.5
- Resolves: #1493064 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method

* Wed Jul 26 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-67.2
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
- Resolves: #1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- Resolves: #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- Resolves: #1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread
- Resolves: #1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest

* Wed Mar 22 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-63
- Related: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743
httpd: various flaws

And the kernel of CentOS 5 has its own share of security issues, which will no longer get fixed due to EOL status of CentOS 5. Consider telling your customer to move to a newer still supported release before they get hacked due to these security issues.