Page 1 of 2

Estimated time before official openssl rpms are released

Posted: 2015/03/19 22:23:26
by pada
Hi,

I'd like to know what the estimated time is of when we can expect to see official openssl rpm + srpm files available? A day / a week?

After learning earlier this week that the vulnerability was responsibly disclosed, I would've thought that rpms would be released at the same time as they released the patches at openssl.org.

Thank you in advance

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/19 22:49:32
by avij
Nobody seems to know. There are no RHEL updates to openssl yet, and consequently, no CentOS updates to openssl either. However, please note that CentOS / RHEL are not affected by some of those highest-rated CVEs, so I would not lose my sleep over these issues.

Some links:
https://access.redhat.com/articles/1384453
https://www.openssl.org/news/secadv_20150319.txt

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/19 23:05:06
by pada
Thanks for the very quick feedback.
I'll then first try to upgrade our RHEL servers then.

I was also quite surprised that everyone made such a big fuss about this high severity bug when it was only the v1.0.2 version which very few people would be using since its so new.

I am however still concerned about some of the DoS bugs, since we are using client authentication, which is affected by those.

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/20 23:47:28
by curious_george
Does anyone know where communication or announcements from CentOS will happen when an openssl patch is released? In the meantime, I've been doing "yum upgrade openssl" to see when a patch finally gets released.

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/21 00:24:53
by chemal
CentOS-announce -- CentOS announcements (security and general) will be posted to this list.

http://lists.centos.org/mailman/listinf ... s-announce

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/21 08:52:21
by avij
You can also keep an eye on https://rhn.redhat.com/errata/rhel-server-7-errata.html -- as you can see, Red Hat has not released an update to openssl either (yet). The CentOS openssl update will be released a few hours after the RHEL openssl update has been released.

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/23 22:08:55
by avij
A quick status update. OpenSSL updates for CentOS 6 and CentOS 7 have now been released.

For CentOS 7, the updates are included as updates for the next point release of CentOS, CentOS 7 (tag 1503). This version is still in QA testing, but if you want to get the updates quicker, you can get them from the CR repository.

If you are using CentOS 6, you should be able to get the update with a simple yum update. Please note that some mirrors may not have synced yet, so please try again after a few hours if you don't see any openssl updates.

There doesn't seem to be any openssl updates for RHEL/CentOS 5 yet.

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/23 22:39:52
by TrevorH
These fixes are marked as maximum of "Moderate" and CentOS 5 is now in production phase 3 of its lifecycle upstream so only fixes "important" or "critical" are released. I would not expect CentOS 5 packages for this batch of CVEs.

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/26 12:44:11
by rss245
Not to complain here but how could this have happened ??
OpenSSL and HeartBleed has been public news front and center a a whle now. Do the authors of CentOS and Redhat really handle this so poorly?
Sure you can do the following in the meantime but
I would have expected better on such a major issue:

wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
wget http://www.linuxfromscratch.org/patches ... ld-1.patch
tar xzf openssl-1.0.2a.tar.gz
cd openssl-1.0.2a
patch -Np1 -i ../openssl-1.0.2a-fix_parallel_build-1.patch
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic
make
make install


Why this has yet to be implemented in an rpm package and yum package I am shocked at this essentially poor handling of a critical security issue.
Open Source community really fell down on the job on this issue. :(

Re: Estimated time before official openssl rpms are released

Posted: 2015/03/26 13:17:16
by TrevorH
The openssl fixes that are marked as Important and Critical are fixed in the latest CentOS 5 openssl packages. That includes heartbleed etc. If you do your source build then you will overwrite a large amount of packaged files and those will in turn be overwritten (and broken) next time an openssl package is released by CentOS. In addition, many things are likely to stop working with the newer openssl installed in this way. Do not do it.