Hi Team,
Recently we have upgraded to CentOS 7.6.1810 and the OpenSSL comes along with CentOS 7.6 is openssl-1.0.2k-16.el7_6.1.x86_64. We understand there are no updates available / backported in CentOS 7.6 mirrors beyond openssl-1.0.2k.
Can we upgrade OpenSSL to 1.0.2r (for CVE fixes)? Is it right way to get it upgraded ourself though there are no updates from CentOS.
Regards,
Srini
Upgrading OpenSSL in CentOS 7.6
Re: Upgrading OpenSSL in CentOS 7.6
You can list the changelog (including CVEs) with this command: rpm -q --changelog openssl|more
CentOS 7.6 was released around four months ago, so you've had four months without any security updates.
CentOS 7.6 was released around four months ago, so you've had four months without any security updates.
Re: Upgrading OpenSSL in CentOS 7.6
Thanks a lot. That was very useful.
From the RPM changelog, it seems 1.0.2k-16.1 is the latest. But I couldn't find this anywhere in CentOS mirror. Can only see 1.0.2k-16 as the latest.
~$ rpm -q --changelog openssl-1.0.2k-16.el7_6.1.x86_64 | more
* Wed Feb 06 2019 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16.1
- use SHA-256 in FIPS RSA pairwise key check
- fix CVE-2018-5407 - EC signature local timing side-channel key extraction
* Tue Aug 14 2018 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16
- fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA
- fix incorrect error message on FIPS DSA parameter generation (#1603597)
Do you have any idea on this.
Regards,
Srini
From the RPM changelog, it seems 1.0.2k-16.1 is the latest. But I couldn't find this anywhere in CentOS mirror. Can only see 1.0.2k-16 as the latest.
~$ rpm -q --changelog openssl-1.0.2k-16.el7_6.1.x86_64 | more
* Wed Feb 06 2019 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16.1
- use SHA-256 in FIPS RSA pairwise key check
- fix CVE-2018-5407 - EC signature local timing side-channel key extraction
* Tue Aug 14 2018 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16
- fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA
- fix incorrect error message on FIPS DSA parameter generation (#1603597)
Do you have any idea on this.
Regards,
Srini
Re: Upgrading OpenSSL in CentOS 7.6
I guess you could compare the CVE output from rpm with this: https://www.openssl.org/news/vulnerabilities-1.0.2.html
I don't know about openssl, but I know that "updating" some packages will damage your system beyond repair.
I don't know about openssl, but I know that "updating" some packages will damage your system beyond repair.
Re: Upgrading OpenSSL in CentOS 7.6
Please don't try to update your system to a newer openssl or it will break.
The current openssl on CentOS 7.6 is openssl-1.0.2k-16.el7_6.1.x86_64 - this is the same package as RHEL's 1.0.2k-16.1 as can be seen from the package changelog.
The current openssl on CentOS 7.6 is openssl-1.0.2k-16.el7_6.1.x86_64 - this is the same package as RHEL's 1.0.2k-16.1 as can be seen from the package changelog.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Upgrading OpenSSL in CentOS 7.6
Thanks a lot tunk & TrevorH for your help.
Re: Upgrading OpenSSL in CentOS 7.6
When you run rpm -q --changelog the changelog comes from the installed package. This means you have the latest openssl already installed. openssl-1.0.2k-16.el7_6.1 packages are in 7.6.1810 "updates", not "os".tsrini wrote: ↑2019/04/02 14:24:23From the RPM changelog, it seems 1.0.2k-16.1 is the latest. But I couldn't find this anywhere in CentOS mirror. Can only see 1.0.2k-16 as the latest.
~$ rpm -q --changelog openssl-1.0.2k-16.el7_6.1.x86_64 | more
* Wed Feb 06 2019 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16.1
- use SHA-256 in FIPS RSA pairwise key check
- fix CVE-2018-5407 - EC signature local timing side-channel key extraction
* Tue Aug 14 2018 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16
- fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA
- fix incorrect error message on FIPS DSA parameter generation (#1603597)
Do you have any idea on this.