heartbleed openssl bug, need 1.0.1g openssl version

General support questions
jeffreyhodge
Posts: 2
Joined: 2014/04/08 01:05:19

heartbleed openssl bug, need 1.0.1g openssl version

Postby jeffreyhodge » 2014/04/08 01:09:41

I'm not sure exactly how these requests are made. Openssl in recent versions of Centos is completely compromised (see heartbleed.com). Version 1.0.1g has the fix. I compiled a package for it, but of course I would need the build environment for the rest of the packages on the system to make it work properly and would take me days to figure out.

Can we get a 1.0.1g version of openssl in the repo?

User avatar
TrevorH
Forum Moderator
Posts: 20325
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby TrevorH » 2014/04/08 01:27:44

There most likely will not be a 1.0.1g as that's not the way that RHEL or CentOS operate. We'll have to wait for Redhat to backport the patch to their 1.0.1e release. The Redhat bugzilla is here

There are CentOS provided recompiled packages available but they come with a health warning.

Patched openssl packages are available for _TESTING_ at http://people.centos.org/z00dax/disable_heartbeat = please leave feedback on these packages. These should not be installed on a machine you care about until confirmed.


Temporarily making this a global thread so that it's visible to all users in all forums. The bug only affects the CentOS 6.5 openssl which received a rebase to 1.0.1e. No prior versions or releases are affected.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
TrevorH
Forum Moderator
Posts: 20325
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby TrevorH » 2014/04/08 01:41:39

Interim CentOS packages (1.0.1e-16.el6_5.4.0.1.centos) that address CVE-2014-0160 by adding the published workaround are being released to CentOS-6 [updates] and should be available on a mirror near you soon. These will be superceded by the Red Hat update when it becomes available.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

jeffreyhodge
Posts: 2
Joined: 2014/04/08 01:05:19

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby jeffreyhodge » 2014/04/08 02:17:28

For those who want an immediate fix, you can use the bug link referenced above. It contains a diff for a spec file to disable heartbeats. You can obtain the current SRPM for the latest openssl packages from CentOS here - http://vault.centos.org/6.5/updates/Sou ... .4.src.rpm.

You'll have to be comfortable with repackaging your own RPMs. I'm not going to provide instructions for that.

User avatar
TrevorH
Forum Moderator
Posts: 20325
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby TrevorH » 2014/04/08 02:31:05

Redhat just posted https://rhn.redhat.com/errata/RHSA-2014-0376.html and that will be working its way through the build/test/publish cycle and will be available on a CentOS mirror near you shortly.

If you update and need to know what needs restarting to pick up the new update then run

Code: Select all

lsof -n | grep ssl | grep DEL
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
TrevorH
Forum Moderator
Posts: 20325
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby TrevorH » 2014/04/08 02:31:58

There is a link to temporary packages to workaround this problem above. No need to build your own.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
TrevorH
Forum Moderator
Posts: 20325
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby TrevorH » 2014/04/08 03:07:42

So the official update is now out. Details below copied from the CentOS-Announce mailing list.

If you run `rpm -q openssl` and it reports version 1.0.1e and less than 1.0.1e-16.el6_5.4.0.1 then you are currently vulnerable to this problem. If it reports 1.0.1e-16.el6_5.4.0.1.centos then you have the temporary version issued before Redhat issued their official fix. If you have 1.0.1e-16.el6_5.7 or higher then you have the official fixed version. If you are not running the fixed version then you should update as soon as possible by running `yum update`. If no newer version is offered then you might try running `yum clean metadata` then retry. If nothing shows up still then you may need to wait for your current mirror to catch up and replicate the update.

CentOS Errata and Security Advisory 2014:0376 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0376.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
6ceff4bad2608484b9b9ab74b8e9047b593b6b7a6ca5ba3cc16db7d8b447f1d8 openssl-1.0.1e-16.el6_5.7.i686.rpm
ef6c735885f24ca8618357b880e8cdc6fcb7c6895d99f740169684a3a6f0b8ba openssl-devel-1.0.1e-16.el6_5.7.i686.rpm
5724d24708d8b62ee48585ea530d379c258a9dd537ce3d350a61af4489c11ea5 openssl-perl-1.0.1e-16.el6_5.7.i686.rpm
601108f27b4716355d972d70e8711b6ff53f4375962b3d6e81321736c6709b90 openssl-static-1.0.1e-16.el6_5.7.i686.rpm

x86_64:
6ceff4bad2608484b9b9ab74b8e9047b593b6b7a6ca5ba3cc16db7d8b447f1d8 openssl-1.0.1e-16.el6_5.7.i686.rpm
42cdc321aa3d46889c395c5d6dc11961ed86be5f4d98af0d6399d6c4e1233712 openssl-1.0.1e-16.el6_5.7.x86_64.rpm
ef6c735885f24ca8618357b880e8cdc6fcb7c6895d99f740169684a3a6f0b8ba openssl-devel-1.0.1e-16.el6_5.7.i686.rpm
3328f32f211b2e136c25ec8538c768049f288f0b410932b31880fa4b4de8e73b openssl-devel-1.0.1e-16.el6_5.7.x86_64.rpm
89cdbaed00f8348a6a6d567c6c1eb8aba9f94578653be475e826e24c51f10594 openssl-perl-1.0.1e-16.el6_5.7.x86_64.rpm
9222db08c5cbf4fded04fd7d060f5b91ed396665e2baa4c899fc2aa8aa9297d0 openssl-static-1.0.1e-16.el6_5.7.x86_64.rpm

Source:
3a08cda99f54b97c027ed32758e7b1ddcff635be5c3737c1e9084321561a015d openssl-1.0.1e-16.el6_5.7.src.rpm



--
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list CentOS-announce@centos.org
http://lists.centos.org/mailman/listinf ... s-announce
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

_ck_
Posts: 89
Joined: 2012/08/10 23:00:35

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby _ck_ » 2014/04/08 15:39:34

I am still not finding openssl-1.0.1e-16 on any mirrors?

Can anyone please post a known mirror with it so we do not have to wait any longer, this is a very dangerous bug, people are already exploiting it.

User avatar
TrevorH
Forum Moderator
Posts: 20325
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby TrevorH » 2014/04/08 17:20:43

http://mirror-status.centos.org/

And you don't want openssl-1.0.1e-16 as that's the first vulnerable one delivered with CentOS 6.5. You want openssl-1.0.1e-16.el6_5.7

More likely you need to run `yum clean all` then yum update or fix your repo file to point to the mirrorlist rather than hard coding a URL.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

drewrowland
Posts: 4
Joined: 2014/04/08 17:08:25

Re: heartbleed openssl bug, need 1.0.1g openssl version

Postby drewrowland » 2014/04/08 19:57:17

When running yum update I am continually getting:

Setting up Update Process
No Packages marked for Update

I'm point to the base repo list, but for some reason and not getting package updates. Any suggestions?