CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Support for security such as Firewalls and securing linux
User avatar
peopleinside
Posts: 39
Joined: 2013/11/13 10:41:22

CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Postby peopleinside » 2016/06/06 15:53:08

Hi,
there are update of OpenSSL available for fix this strong security issue?
Thanks.


User avatar
TrevorH
Forum Moderator
Posts: 18594
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Postby TrevorH » 2016/06/06 16:15:07

"Impact: Moderate"

Update to 6.8 and get openssl-1.0.1e-48.el6_8.1.x86_64
CentOS 5 dies in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

asche
Posts: 2
Joined: 2016/06/11 08:42:37

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Postby asche » 2016/06/11 08:56:12

hello,

i'm just wondering that the online tests
- https://filippo.io/CVE-2016-2107/
- http://www.ssllabs.com
say that my server is vulnerable.

I installed the latest updates und also restarted nginx.

Code: Select all

server:~$ rpm -q --changelog "openssl" | head -n 7
* Mo Mai 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
- fix CVE-2016-0799 - memory issues in BIO_printf


Code: Select all

server:~$ yum info openssl
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 48.el6_8.1
Size        : 4.0 M
Repo        : installed
From repo   : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.


any idea?

User avatar
TrevorH
Forum Moderator
Posts: 18594
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Postby TrevorH » 2016/06/11 09:02:53

Where did you get nginx from?
CentOS 5 dies in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

asche
Posts: 2
Joined: 2016/06/11 08:42:37

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Postby asche » 2016/06/13 14:29:17

TrevorH wrote:Where did you get nginx from?

Thanks for the tip.
The nginx package came with an old openssl version.


Return to “CentOS 6 - Security Support”

Who is online

Users browsing this forum: No registered users and 1 guest