Estimated time before official openssl rpms are released

Support for security such as Firewalls and securing linux
pada
Posts: 4
Joined: 2015/03/19 22:10:18

Estimated time before official openssl rpms are released

Post by pada » 2015/03/19 22:23:26

Hi,

I'd like to know what the estimated time is of when we can expect to see official openssl rpm + srpm files available? A day / a week?

After learning earlier this week that the vulnerability was responsibly disclosed, I would've thought that rpms would be released at the same time as they released the patches at openssl.org.

Thank you in advance

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Estimated time before official openssl rpms are released

Post by avij » 2015/03/19 22:49:32

Nobody seems to know. There are no RHEL updates to openssl yet, and consequently, no CentOS updates to openssl either. However, please note that CentOS / RHEL are not affected by some of those highest-rated CVEs, so I would not lose my sleep over these issues.

Some links:
https://access.redhat.com/articles/1384453
https://www.openssl.org/news/secadv_20150319.txt

pada
Posts: 4
Joined: 2015/03/19 22:10:18

Re: Estimated time before official openssl rpms are released

Post by pada » 2015/03/19 23:05:06

Thanks for the very quick feedback.
I'll then first try to upgrade our RHEL servers then.

I was also quite surprised that everyone made such a big fuss about this high severity bug when it was only the v1.0.2 version which very few people would be using since its so new.

I am however still concerned about some of the DoS bugs, since we are using client authentication, which is affected by those.

curious_george
Posts: 7
Joined: 2013/01/26 00:51:36

Re: Estimated time before official openssl rpms are released

Post by curious_george » 2015/03/20 23:47:28

Does anyone know where communication or announcements from CentOS will happen when an openssl patch is released? In the meantime, I've been doing "yum upgrade openssl" to see when a patch finally gets released.

chemal
Posts: 776
Joined: 2013/12/08 19:44:49

Re: Estimated time before official openssl rpms are released

Post by chemal » 2015/03/21 00:24:53

CentOS-announce -- CentOS announcements (security and general) will be posted to this list.

http://lists.centos.org/mailman/listinf ... s-announce

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Estimated time before official openssl rpms are released

Post by avij » 2015/03/21 08:52:21

You can also keep an eye on https://rhn.redhat.com/errata/rhel-server-7-errata.html -- as you can see, Red Hat has not released an update to openssl either (yet). The CentOS openssl update will be released a few hours after the RHEL openssl update has been released.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Estimated time before official openssl rpms are released

Post by avij » 2015/03/23 22:08:55

A quick status update. OpenSSL updates for CentOS 6 and CentOS 7 have now been released.

For CentOS 7, the updates are included as updates for the next point release of CentOS, CentOS 7 (tag 1503). This version is still in QA testing, but if you want to get the updates quicker, you can get them from the CR repository.

If you are using CentOS 6, you should be able to get the update with a simple yum update. Please note that some mirrors may not have synced yet, so please try again after a few hours if you don't see any openssl updates.

There doesn't seem to be any openssl updates for RHEL/CentOS 5 yet.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Estimated time before official openssl rpms are released

Post by TrevorH » 2015/03/23 22:39:52

These fixes are marked as maximum of "Moderate" and CentOS 5 is now in production phase 3 of its lifecycle upstream so only fixes "important" or "critical" are released. I would not expect CentOS 5 packages for this batch of CVEs.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rss245
Posts: 3
Joined: 2015/03/23 22:23:01

Re: Estimated time before official openssl rpms are released

Post by rss245 » 2015/03/26 12:44:11

Not to complain here but how could this have happened ??
OpenSSL and HeartBleed has been public news front and center a a whle now. Do the authors of CentOS and Redhat really handle this so poorly?
Sure you can do the following in the meantime but
I would have expected better on such a major issue:

wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz
wget http://www.linuxfromscratch.org/patches ... ld-1.patch
tar xzf openssl-1.0.2a.tar.gz
cd openssl-1.0.2a
patch -Np1 -i ../openssl-1.0.2a-fix_parallel_build-1.patch
./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic
make
make install


Why this has yet to be implemented in an rpm package and yum package I am shocked at this essentially poor handling of a critical security issue.
Open Source community really fell down on the job on this issue. :(

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Estimated time before official openssl rpms are released

Post by TrevorH » 2015/03/26 13:17:16

The openssl fixes that are marked as Important and Critical are fixed in the latest CentOS 5 openssl packages. That includes heartbleed etc. If you do your source build then you will overwrite a large amount of packaged files and those will in turn be overwritten (and broken) next time an openssl package is released by CentOS. In addition, many things are likely to stop working with the newer openssl installed in this way. Do not do it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply