Upgrading OpenSSL in CentOS 7.6

[tsrini]

Hi Team,

Recently we have upgraded to CentOS 7.6.1810 and the OpenSSL comes along with CentOS 7.6 is openssl-1.0.2k-16.el7_6.1.x86_64. We understand there are no updates available / backported in CentOS 7.6 mirrors beyond openssl-1.0.2k.

Can we upgrade OpenSSL to 1.0.2r (for CVE fixes)? Is it right way to get it upgraded ourself though there are no updates from CentOS.

Regards,
Srini

[tunk]

You can list the changelog (including CVEs) with this command: rpm -q --changelog openssl|more
CentOS 7.6 was released around four months ago, so you've had four months without any security updates.

[tsrini]

Thanks a lot. That was very useful.

From the RPM changelog, it seems 1.0.2k-16.1 is the latest. But I couldn't find this anywhere in CentOS mirror. Can only see 1.0.2k-16 as the latest.

~$ rpm -q --changelog openssl-1.0.2k-16.el7_6.1.x86_64 | more
* Wed Feb 06 2019 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16.1
- use SHA-256 in FIPS RSA pairwise key check
- fix CVE-2018-5407 - EC signature local timing side-channel key extraction

* Tue Aug 14 2018 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16
- fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA
- fix incorrect error message on FIPS DSA parameter generation (#1603597)

Do you have any idea on this.

Regards,
Srini

[tunk]

I guess you could compare the CVE output from rpm with this: https://www.openssl.org/news/vulnerabilities-1.0.2.html
I don't know about openssl, but I know that "updating" some packages will damage your system beyond repair.

[TrevorH]

Please don't try to update your system to a newer openssl or it will break.

The current openssl on CentOS 7.6 is openssl-1.0.2k-16.el7_6.1.x86_64 - this is the same package as RHEL's 1.0.2k-16.1 as can be seen from the package changelog.

[tsrini]

Thanks a lot tunk & TrevorH for your help.

[avij]

From the RPM changelog, it seems 1.0.2k-16.1 is the latest. But I couldn't find this anywhere in CentOS mirror. Can only see 1.0.2k-16 as the latest.

~$ rpm -q --changelog openssl-1.0.2k-16.el7_6.1.x86_64 | more
* Wed Feb 06 2019 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16.1
- use SHA-256 in FIPS RSA pairwise key check
- fix CVE-2018-5407 - EC signature local timing side-channel key extraction

* Tue Aug 14 2018 Tomá\u0161 Mráz <tmraz@redhat.com> 1.0.2k-16
- fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA
- fix incorrect error message on FIPS DSA parameter generation (#1603597)

Do you have any idea on this.

When you run rpm -q --changelog the changelog comes from the installed package. This means you have the latest openssl already installed. openssl-1.0.2k-16.el7_6.1 packages are in 7.6.1810 "updates", not "os".