Want more timely Centmin Mod News Updates?
Become a Member

Security CentOS updating for OpenSSL 1.0.1k on Centmin Mod LEMP

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 12, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    OpenSSL 1.0.1k source release has been announced for 8 security bug fixes. You can read about them and how to update both CentOS OpenSSL system YUM update + Centmin Mod Nginx's static OpenSSL 1.0.1k updates here at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod | Centmin Mod Community


    Recent release of OpenSSL 1.0.1k to fix various security and bugs outlined at http://openssl.org/news/secadv_20150108.txt including:
    1. DTLS segmentation fault in dtls1_get_record (CVE-2014-3571 and Redhat)
    2. DTLS memory leak in dtls1_buffer_record (CVE-2015-0206 and Redhat)
    3. no-ssl3 configuration sets method to NULL (CVE-2014-3569 and Redhat - not vulnerable in Redhat/CentOS)
    4. ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572 and Redhat)
    5. RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204 and Redhat)
    6. DH client certificates accepted without verification [Server] (CVE-2015-0205 and Redhat)
    7. Certificate fingerprints can be modified (CVE-2014-8275 and Redhat)
    8. Bignum squaring may produce incorrect results (CVE-2014-3570 and Redhat)
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Forums here updated to security bug fixed OpenSSL 1.0.2 beta

     
  3. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like Redhat and CentOS released system OpenSSL updates for these bugs on Jan 13-20th, 2015

    for Redhat/CentOS 6.x
    Code:
    openssl-1.0.1e-30.el6_6.5.i686.rpm       MD5: ecfb17f33168be074b5f88740dd5df81
    SHA-256: 56bae4fd15a7e32a17a7661dee08af40c56467b0c4155d7929b7e9acd9b7c195
    openssl-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: 6e0391e53d054a2f14685b9d8292d14e
    SHA-256: dee49ceaf0cd4fe018c0257f034fc8d5bb0a504ebc94129b434f8b5fa21de0a6
    openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm       MD5: f34aed0ec780fc16b3eee10dc9e971fc
    SHA-256: c5dcb2c75d0081e3458575d4fc25be33c470eb6c6a6798e5f3214d55c5e6ef82
    openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: f57b9544d88c911c2128c04605b1b1d4
    SHA-256: c0586962cd15600476d859bd81fa7399ef66ac71639ada7835d41677f5235d56
    openssl-devel-1.0.1e-30.el6_6.5.i686.rpm       MD5: d276e5a6a3d80380709133d79d2b6ecd
    SHA-256: 5c19d5d35082db040a6594c730324bf8b76225baa4e6aaf31a26cdd95624aa07
    openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: 774e3519c8f89315540fb5ae813283b0
    SHA-256: 3090214f84aa3feb2ae44ddebb2dfd69eecfe439ecfcd16feb015f56535a8d12
    openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: f91623ef7614a31e555f11f388965547
    SHA-256: 4f66b170e5905b468867ed2ce9b8c5446558b97ad1dce50e9b48507b7ad47338
    openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm       MD5: c7a490aa010da778b222bba1a089df41
    SHA-256: 8b95d1aac9a07c26d86d4af93c1f77d7e0c767c17800997f8d7fc306abacaf80
    
    for Redhat/CentOS 7.x
    Code:
    openssl-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 0039337b3ab2bff15acc5ce0bf73679f
    SHA-256: 3e0eacb4f5aa39123c777dd3c523c46d171d9d0675d32b7f75fd95c1b80a92e8
    openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm        MD5: 73a8003a1ae7ff630aca02e7f1e4456a
    SHA-256: 34a5880163532c7fe7166e19c4c6123d0f209c0b87118d89cf9a6f9148398fb5
    openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 0cd4d3406b03de401ddfea9b6ac3366a
    SHA-256: 40fa8f9efc46b7e3bd37f3abae2d09f0d7c17c877638cc0a280d83c468ef0956
    openssl-devel-1.0.1e-34.el7_0.7.i686.rpm        MD5: 5c4354b306cec9e0a4f043cb42e214ea
    SHA-256: e81989c0f56f04c3ace6aa82d2123f3db725ba57e834fc481cb34c8dae009b61
    openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 8c0427697ad0af02ccbcfbc6c47b71dd
    SHA-256: 00fac9282cff230ce7a2d785df90d4f46de5a6f465a2fd1af57c545c956267bb
    openssl-libs-1.0.1e-34.el7_0.7.i686.rpm        MD5: fb7156ed9b3607b0a2c365f9709bb27e
    SHA-256: 9a7be39ff35950127bba8399c8f6cde05c3eaf3e598f1104143fecf388ad418a
    openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: c4a76cab9ccf77c5865434012e9d4355
    SHA-256: 14a375789373add530cd4ef7086bb3ff7b28166d79ef22c9fa9f58fc44b35587
    openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 96e8ab9c13c77ae76634500c93e5f139
    SHA-256: 45b3d50e97e52654e13dd1f9e89b825ad7344d7ca9b296e2f4abb865ddb079a6
    openssl-static-1.0.1e-34.el7_0.7.i686.rpm        MD5: 6099d2b4f0641d5652ec989c5c097bae
    SHA-256: 483d9582537f4158bbf3bced9923c041a4b2c7487998cd983144276c2f95ec85
    openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm        MD5: 80dfd9b5bbbe00278e7f4137dfdbb1c0
    SHA-256: 34e81c305c4e3f52ad185259297e09e8c8fff205c1cbeb6f666fe1358ad81e68
    On my CentOS 6.6 system
    Code:
    yum list openssl -q
    Installed Packages
    openssl.i686                                                             1.0.1e-30.el6_6.5                                                              @updates
    change log
    Code:
    rpm -ql --changelog openssl | head -n 10
    * Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.5
    - fix CVE-2014-3570 - incorrect computation in BN_sqr()
    - fix CVE-2014-3571 - possible crash in dtls1_get_record()
    - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state
    - fix CVE-2014-8275 - various certificate fingerprint issues
    - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
      ciphersuites and on server
    - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
    - fix CVE-2015-0206 - possible memory leak when buffering DTLS records
    On my CentOS 7.0 system
    Code:
    yum list openssl -q
    Installed Packages
    openssl.x86_64                                                           1:1.0.1e-34.el7_0.6                                                            @updates
    Available Packages
    openssl.x86_64                                                           1:1.0.1e-34.el7_0.7                                                            updates 
    
    change log
    Code:
    rpm -ql --changelog openssl | head -n 10
    * Tue Jan 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34.7
    - fix CVE-2014-3570 - incorrect computation in BN_sqr()
    - fix CVE-2014-3571 - possible crash in dtls1_get_record()
    - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state
    - fix CVE-2014-8275 - various certificate fingerprint issues
    - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export
      ciphersuites and on server
    - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate
    - fix CVE-2015-0206 - possible memory leak when buffering DTLS records
    
     
  4. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    9:27 AM
    Mainline
    10.2
    Not yet available on my SYS server.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    try yum clean all then yum update and see
     
  6. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    9:27 AM
    Mainline
    10.2
    Ah that's why. because mine is from axivo repo :D
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    haha :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Jan 24, 2015
  9. eva2000

    eva2000 Administrator Staff Member

    54,384
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    11:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+