Learn about Centmin Mod LEMP Stack today
Become a Member

Security LibreSSL 2.2.4 Released security fixes

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Oct 19, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    54,600
    12,225
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,794
    Local Time:
    2:55 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod 1.2.3-eva2000.08+ LibreSSL 2.2.4



    LibreSSL 2.2.4 is now the stable release with a few bug and security fixes for buffer overflow and memory leaks (CVE-2015-5333 and CVE-2015-5334) (wikipedia).

    Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.2.4 for new fresh installs. For existing folks, follow below update instructions.

    While Centmin Mod 1.2.3-eva2000.07 stable used OpenSSL for Nginx compile, Centmin Mod .08+ has switched from OpenSSL to LibreSSL, so no longer is reliant on OpenSSL for Nginx. Full details of Nginx + LibreSSL here.

    Centmin Mod Nginx Update LibreSSL



    For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.2.4 via 2 steps.

    Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.2.4. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.2.4' set.

    If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh

    from
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.3'   # Use this version of LibreSSL http://www.libressl.org/
    to
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.4'   # Use this version of LibreSSL http://www.libressl.org/
    or can do it via sed replacement on centmin.sh within centmin mod directory

    Code:
    cmdir
    sed -i "s|LIBRESSL_VERSION='2.2.3'|LIBRESSL_VERSION='2.2.4'|g" centmin.sh
    grep LIBRESSL_VERSION centmin.sh 
    Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.9.5.

    For example after recompile Nginx version output will show built with LibreSSL 2.2.4

    for 123.08 stable
    for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

    LibreSSL 2.2.4



    You'll find latest LibreSSL 2.2.4 on official site.

     
    Last edited: Oct 19, 2015