Officially released via CR: CR Repository for CentOS Linux 7 (1708) Released – Seven.CentOS.org
sweet they fixed the iptables bug too before upstream did Centmin Mod does use alot of 3rd party repos, EPEL, CentOS Plus, Remi, etc so will be interesting to test CR repo updates on a test Centmin Mod server.
Mixed feelings about this bugfix. If it stays with fasttrack, bug blocker etc, and change it until the upstream patch has been issued, thats fine to me. But stick to upstream if possible. It's not upstream released yet with a reason, there is always a reason. For example CentOS released this patch yesterday 'Wed, 23 Aug 2017 01:53:30 +0000'. You can't test all the known 'Enterprise' test scenarios with new code in only one single day.
Indeed it's a fine line to walk along when it comes to critical bugs though. How many folks follow so closely to such changes /bugs other than just run yum update when they see a new release and assume all works properly after update ?
After hitting so many errors, bugs, weird shit and kernel panics in my life, more then enough to write a book, you will
Testing CentOS 7.4 CR repo packages on test CentOS 7 server Beautiful sight to see OpenSSL 1.0.2k making it's debut via CR packages Code (Text): yum info openssl -q Installed Packages Name : openssl Arch : x86_64 Epoch : 1 Version : 1.0.2k Release : 8.el7 Size : 814 k Repo : installed From repo : cr Summary : Utilities from the general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols. Code (Text): rpm -qa --changelog openssl | head -n34 * Wed May 17 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-8 - fix regression in openssl req -x509 command (#1450015) * Thu Apr 13 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-7 - handle incorrect size gracefully in aes_p8_cbc_encrypt() * Mon Mar 27 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-6 - allow long client hellos to be received by server * Mon Mar 27 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-5 - fix CPU features detection on new AMD processors * Thu Mar 09 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-4 - add support for additional STARTTLS protocols to s_client original backported patch by Robert Scheck (#1396209) * Wed Mar 01 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-3 - properly document the SSLv2 support removal * Mon Feb 20 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-2 - add PPC assembler updates * Tue Feb 07 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-1 - minor upstream release 1.0.2k fixing security issues * Tue Jan 10 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2j-2 - deprecate and disable verification of insecure hash algorithms - add support for /etc/pki/tls/legacy-settings also for minimum DH length accepted by SSL client - compare the encrypt and tweak key in XTS as required by FIPS * Thu Jan 05 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2j-1 - rebase to latest upstream release from the 1.0.2 branch, ABI compatible OpenSSH 7.4p1 Code (Text): yum info openssh -q Installed Packages Name : openssh Arch : x86_64 Version : 7.4p1 Release : 11.el7 Size : 1.9 M Repo : installed From repo : cr Summary : An open source implementation of SSH protocol versions 1 and 2 URL : http://www.openssh.com/portable.html License : BSD Description : SSH (Secure SHell) is a program for logging into and executing : commands on a remote machine. SSH is intended to replace rlogin and : rsh, and to provide secure encrypted communications between two : untrusted hosts over an insecure network. X11 connections and : arbitrary TCP/IP ports can also be forwarded over the secure channel. : : OpenSSH is OpenBSD's version of the last free version of SSH, bringing : it up to date in terms of security and features. : : This package includes the core files necessary for both the OpenSSH : client and server. To make this package useful, you should also : install openssh-clients, openssh-server, or both. recompiling PHP via centmin.sh menu option 5 and then checking the OpenSSL version used after OpenSSL 1.0.2k CR yum update Code (Text): ldd $(which php) | grep libssl libssl.so.10 => /lib64/libssl.so.10 (0x00007fc167249000) libssl3.so => /lib64/libssl3.so (0x00007fc1633b9000) Code (Text): rpm -ql openssl-devel | grep libssl.so /usr/lib64/libssl.so Code (Text): ls -lah /usr/lib64/libssl.so lrwxrwxrwx 1 root root 16 Sep 7 07:37 /usr/lib64/libssl.so -> libssl.so.1.0.2k ls -lah /lib64/libssl.so.10 lrwxrwxrwx 1 root root 16 Sep 7 07:37 /lib64/libssl.so.10 -> libssl.so.1.0.2k Code (Text): php --ri openssl openssl OpenSSL support => enabled OpenSSL Library Version => OpenSSL 1.0.2k-fips 26 Jan 2017 OpenSSL Header Version => OpenSSL 1.0.2k-fips 26 Jan 2017 Openssl default config => /etc/pki/tls/openssl.cnf Directive => Local Value => Master Value openssl.cafile => no value => no value openssl.capath => no value => no value
Something else. Upstream released 7.4, also termed Update 4, August 1, 2017; That's 34 days ago. It's ridiculous for a full time paid team, who can not release a copy in 34 days. All they have to do is rebuild and test. I have said it before. STOP! unofficial projects like x86 and Aarch64. Which are none upstream, unofficial and not supported. Just started with everything at the same time with limited resources. There is no line and structure at all.
Already released but the most mirrors are locked, via the master sync server to give time for all mirrors to sync correctly. And wait for the official start. However, some have forgotten this, like this one below: mirror.plusserver.com Happy downloading and installing. (Verified. It works correctly, installed with CentOS-7-x86_64-Everything-1708.iso, + latest updates installed via the same mirror)
technically well yes as update has kernel update too to 3.10.0-693.2.2.el7 so if on non-openvz or non-linode servers, reboot. OpenVZ don't use the system kernel and Linode has custom kernel so do not require reboots