openssl 1.0.2k and CVE-2017-3737, CVE-2017-3738

Support for security such as Firewalls and securing linux
Post Reply
mineraleater
Posts: 1
Joined: 2017/12/21 14:11:52

openssl 1.0.2k and CVE-2017-3737, CVE-2017-3738

Post by mineraleater » 2017/12/21 14:18:46

Hi,

CVE-2017-3737 and CVE-2017-3738 have been released for openssl. According to redhat [1,2], the default version that is currently available in CentOS 7 (openssl 1.0.2k) is vulnerable, and needs to be updated (to openssl 1.0.2n).

Is there a plan to perform this upgrade of openssl? Or is there another plan for addressing these CVEs?

(I couldn't find a page indicating that CentOS backported the fix.)

Thanks!

[1] https://access.redhat.com/security/cve/cve-2017-3737
[2] https://access.redhat.com/security/cve/cve-2017-3738

User avatar
TrevorH
Forum Moderator
Posts: 23496
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl 1.0.2k and CVE-2017-3737, CVE-2017-3738

Post by TrevorH » 2017/12/21 14:34:37

We are dependent on RH issuing the fixes. They have not yet done so. When they do then CentOS will pick up the new SRPM and rebuild it and release it. The links you've given there will update and show links to the the errata pages showing the fixed versions once those are released.

Despite the text saying that an update to 1.0.2n is required, that's from the upstream openssl announcement and RHEL does not work like that. The fixes in question will be backported to the 1.0.2k version that they (and we) ship.

All you can do for now is monitor those CVE pages and the associated links to bugzilla.redhat.com for the progress.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

M1ck@el
Posts: 1
Joined: 2018/01/25 15:00:02

Re: openssl 1.0.2k and CVE-2017-3737, CVE-2017-3738

Post by M1ck@el » 2018/01/25 15:01:11

Hello,
Do you know if there are news about the availability of these patches?
Thank you.

User avatar
TrevorH
Forum Moderator
Posts: 23496
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl 1.0.2k and CVE-2017-3737, CVE-2017-3738

Post by TrevorH » 2018/01/25 15:50:10

The only news you will get is by clicking on the two links in the first post. CentOS only rebuilds what Redhat release for RHEL and have no visibility on the status of things inside Redhat. The first news we get that something is fixed is when RH release it.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

MIS
Posts: 1
Joined: 2018/04/16 15:12:18

Re: openssl 1.0.2k and CVE-2017-3737, CVE-2017-3738

Post by MIS » 2018/04/16 15:18:55

There has been an update from Redhat on these security issues.

https://access.redhat.com/errata/RHSA-2018:0998

There are updated packages that were released on April 10, 2018.

When can we expect these packages to be made available to the Centos Community?

User avatar
TrevorH
Forum Moderator
Posts: 23496
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl 1.0.2k and CVE-2017-3737, CVE-2017-3738

Post by TrevorH » 2018/04/16 15:22:30

Anything released by RH on or after the 10th April 2018 is part of RHEL 7.5 and will be in CentOS 7.5 when that is released.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply