Hi,
there are update of OpenSSL available for fix this strong security issue?
Thanks.
CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)
- peopleinside
- Posts: 67
- Joined: 2013/11/13 10:41:22
Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)
"Impact: Moderate"
Update to 6.8 and get openssl-1.0.1e-48.el6_8.1.x86_64
Update to 6.8 and get openssl-1.0.1e-48.el6_8.1.x86_64
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)
hello,
i'm just wondering that the online tests
- https://filippo.io/CVE-2016-2107/
- http://www.ssllabs.com
say that my server is vulnerable.
I installed the latest updates und also restarted nginx.
any idea?
i'm just wondering that the online tests
- https://filippo.io/CVE-2016-2107/
- http://www.ssllabs.com
say that my server is vulnerable.
I installed the latest updates und also restarted nginx.
Code: Select all
server:~$ rpm -q --changelog "openssl" | head -n 7
* Mo Mai 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
- fix CVE-2016-0799 - memory issues in BIO_printf
Code: Select all
server:~$ yum info openssl
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 48.el6_8.1
Size : 4.0 M
Repo : installed
From repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.
Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)
Where did you get nginx from?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)
Thanks for the tip.TrevorH wrote:Where did you get nginx from?
The nginx package came with an old openssl version.