OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Support for security such as Firewalls and securing linux
amrajkamal
Posts: 4
Joined: 2015/03/04 12:02:52

OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby amrajkamal » 2015/03/04 12:09:45

Hi Team,

I came to know CENTOS 5 will be supported till 2017.
But, CENTOS comes with an OpenSSL version of 0.9.8 which has an EOL by December 2015.

Want to know how CENTOS will support for security fixes for OpenSSL 0.9.8 (for vulnerabilities) on CENTOS 5.X post December 2015 (i.e for almost 2 more years).

Awaiting your inputs/answers.

Best regards,
Raj Kamal.

User avatar
TrevorH
Forum Moderator
Posts: 21018
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby TrevorH » 2015/03/04 14:17:45

Redhat provide the support and backport fixes from newer versions. Same way that it works for all the other EOL packages in CentOS 5 (and 6 and 7!)
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

amrajkamal
Posts: 4
Joined: 2015/03/04 12:02:52

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby amrajkamal » 2015/03/05 06:20:20

Hi,

Thank you for your prompt response.

My question was "OpenSSL.org" themselves doesn't support 0.9.8 post December 2015 @ https://www.openssl.org/blog/blog/2014/12/23/the-new-release-strategy/
"Back in October we announced the End Of Life of version 0.9.8. This version is currently only receiving security updates, and support will cease completely on 31st December 2015"

So, will Redhat/CentOS take the ownership of FIXING any new upcoming vulnerabilities post Dec' 2015?

Will REDHAT/CENTOS take the responsibility to find a solution and fix vulnerabilities, because there is nothing to BACKPORT from OpenSSL.org post Dec' 2015 for 0.9.8 version and continue supporting 0.9.8 RPM pacakge till 2017 for CentOS 5.X. (This was the intention behind my post)

Regards,
Murali.

User avatar
TrevorH
Forum Moderator
Posts: 21018
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby TrevorH » 2015/03/05 10:41:24

Redhat already have responsibilty for fixing the bugs in the copy we use. The current version of openssl 0.9.8 from the openssl website is 0.9.8ze and the version in CentOS 5 is openssl-0.9.8e-32.el5_11.x86_64 yet the latest entry in the rpm changelog is dated "* Wed Dec 17 2014 Tomas Mraz <tmraz at redhat.com> 0.9.8e-32"

Please read https://access.redhat.com/security/updates/backporting for more info about the policy that Redhat use.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

amrajkamal
Posts: 4
Joined: 2015/03/04 12:02:52

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby amrajkamal » 2015/03/05 12:28:09

Hi,

Thank you once again for the quick response.

I went through the link about "Backporting Security Fixes" posted below and understood the concept of "backporting" with the given example of RHEL 6 and PHP 5.3.

But, the example case above is subtly different from the case of OpenSSL, let me quote:

Say, in January 2016/2017, there comes an announcement about a vulnerability in OpenSSL 0.9.8 version, but not on 1.0.0 or higher (because of change in architecture of OpenSSL 1.0.0 or higher); At this point in time, OpenSSL wouldn't research to fix the issue, because 0.9.8 is EOL.
Now, does RHEL/CENTOS do the necessary research to FIX the issue of 0.9.8 (because there is no fix given by OpenSSL in 1.0.0 or higher to BACKPORT). This is the clarity I am looking for.

And the below link about "Backporting Security Fixes" talks only about issues/vulnerabilities that are "fixed/addressed in upstream"

Hope you got more clarity about my question.

Regards,
Murali Raj Kamal.

User avatar
TrevorH
Forum Moderator
Posts: 21018
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby TrevorH » 2015/03/05 12:34:06

The fix would be backported from a newer openssl release.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

amrajkamal
Posts: 4
Joined: 2015/03/04 12:02:52

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby amrajkamal » 2015/03/06 10:51:21

Hi,

Let me highlight my question:

Say, in January 2016/2017, there comes an announcement about a vulnerability in OpenSSL 0.9.8 version, but not on 1.0.0 or higher (because of change in architecture of OpenSSL 1.0.0 or higher);

At this point in time, OpenSSL WOULD NOT research to fix the issue, because 0.9.8 is EOL.

Now, does RHEL/CENTOS do the necessary research to FIX the issue of 0.9.8 (because there is NO FIX to BACKPORT given by OpenSSL in 1.0.0 or higher)

How does RHEL/CENTOS address above situation (of nothing to backport from a latest upstream version, because that vulnerability might not exist in latest version of OpenSSL)

Regards,
Murali.

User avatar
TrevorH
Forum Moderator
Posts: 21018
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby TrevorH » 2015/03/06 12:52:40

These questions would really need to be addressed to Redhat but I would expect them to fix it. CentOS does not fix things, it only repackages what Redhat provides to its customers. If you want the word straight from the horses mouth then you need to ask Redhat.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

gulikoza
Posts: 181
Joined: 2007/05/06 20:15:23

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby gulikoza » 2015/03/07 08:31:24

The "whatever change in architecture" that fixes the problem for 1.0.0 or higher is then backported to 0.9.8 (or an individual fix that corrects the problem is developed)
Similar development can be seen in kernel fixes...2.6.18 and 2.6.32 (for EL6) are long not supported anymore, but any bugs are fixed by either backporting the functionality from newer kernels or developing a fix to mitigate the issue if backporting is not an option due to functionality changes.

edit: I stand corrected, 2.6.32 is actually still supported until mid-2015...but since a lot of features have also been backported from newer kernels, I'd assume Redhat needs to develop fixes independently and not use kernel.org's latest 2.6.32 releases...

User avatar
AlanBartlett
Forum Moderator
Posts: 9311
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: OpenSSL 0.9.8 support on CENTOS 5.X post December 2015

Postby AlanBartlett » 2015/03/07 16:23:14

gulikoza wrote:edit: I stand corrected, 2.6.32 is actually still supported until mid-2015...but since a lot of features have also been backported from newer kernels, I'd assume Redhat needs to develop fixes independently and not use kernel.org's latest 2.6.32 releases...

Correct. ;)
Image 100% Linux and, previously, Unix. Co-founder of the ELRepo Project.