CentOS

Fellow CentOS SysOps,
I am having a hard time trying to fix CVEs related to openssl 1.0.2k-fips.

CVE-2018-0732 is one of them. Looks like RedHat provides an errata for this problem, which bumps the RPM version from CentOS 12 to 16
(openssl-1.0.2k-16.el7.x86_64.rpm). Looks like its a preview version that will be released with RHEL7.6, only available to older versions through the errata rpms.

Does Red Hat allows anyone to have access to these errata files or they are only available to users with subscription?
Is there a way to fix CVE-2018-0732 on CentOS 7.5.1804?
https://access.redhat.com/security/cve/cve-2018-0732

Best regards,
Rodrigo

It'll be part of CentOS 7.6. That will first be made available using the CR repo in a day or 6 once QA is complete.

TrevorH wrote: ↑

2018/11/13 00:48:43

It'll be part of CentOS 7.6. That will first be made available using the CR repo in a day or 6 once QA is complete.

Hello Trevor, I much appreciate your response.
Thank you very much.

Since its so close, I will look into the next release as mentioned by TrevorH, but I wonder...
Is that the only way? I was able to find new versions of OpenSSL on the web, from other distros. Is it even an option to go "independet" and try to install
an unofficial package?

I would really appreciate to hear what you guys do when is time to do the vulnerability scan and there are no official solutions
for a CVE. Doing my research I found cases where a security level were high for the scanner company and low to RH, so they
would not provide a fix. Thankfully it did not happen to me and most of my problems could be fixed with updates or changes in the
server configuration.

Thank you guys, for all the help.

The aforementioned CR repo is now available. Try yum update --enablerepo=cr