/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

Security LibreSSL 2.2.5 Released Security Fixes

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Dec 12, 2015.

Tags:
Previous Thread Next Thread
Loading...
  1. Dec 12, 2015 #1
    eva2000

    eva2000 Administrator Staff Member

    54,884
    12,240
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,811
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod 1.2.3-eva2000.08+ LibreSSL 2.2.5



    LibreSSL 2.2.5 is now the stable release with a few bug and security fixes for following:

    Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.2.5 for new fresh installs. For existing folks, follow below update instructions.

    While Centmin Mod 1.2.3-eva2000.07 stable used OpenSSL for Nginx compile, Centmin Mod .08+ has switched from OpenSSL to LibreSSL, so no longer is reliant on OpenSSL for Nginx. Full details of Nginx + LibreSSL here.

    Centmin Mod Nginx Update LibreSSL



    For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.2.5 via 2 steps.

    Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.2.5. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.2.5' set.

    If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh

    from
    Code:
    # LibreSSL
LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
LIBRESSL_VERSION='2.2.4'   # Use this version of LibreSSL http://www.libressl.org/
    to
    Code:
    # LibreSSL
LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
LIBRESSL_VERSION='2.2.5'   # Use this version of LibreSSL http://www.libressl.org/
    or can do it via sed replacement on centmin.sh within centmin mod directory

    Code:
    cmdir
sed -i "s|LIBRESSL_VERSION='2.2.4'|LIBRESSL_VERSION='2.2.5'|g" centmin.sh
grep LIBRESSL_VERSION centmin.sh
    Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.9.9.

    For example after recompile Nginx version output will show built with LibreSSL 2.2.5

    for 123.08 stable
    for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

    LibreSSL 2.2.5



    You'll find latest LibreSSL 2.2.5 on official site.
     
  2. Dec 12, 2015 #2
    Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    6:26 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Thanks @eva2000

    Code:
    nginx -V
nginx version: nginx/1.9.9
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with LibreSSL 2.2.5
TLS SNI support enabled
configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt=enable-tlsext --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-http_gzip_static_module --add-module=../ngx_pagespeed-release-1.9.32.11-beta --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_realip_module --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.2.19 --add-module=../set-misc-nginx-module-0.29 --add-module=../echo-nginx-module-0.58 --add-module=../redis2-nginx-module-0.12 --add-module=../ngx_http_redis-0.3.7 --add-module=../lua-nginx-module-0.9.19 --add-module=../lua-upstream-nginx-module-0.04 --add-module=../lua-upstream-cache-nginx-module-0.1.1 --add-module=../nginx_upstream_check_module-0.3.0 --add-module=../openresty-memc-nginx-module-4f6f78f --add-module=../openresty-srcache-nginx-module-ffa9ab7 --add-module=../headers-more-nginx-module-0.28 --with-pcre=../pcre-8.38 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.2.5
     
  3. Dec 12, 2015 #3
    rdan

    rdan Well-Known Member

    5,447
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    1:26 AM
    Mainline
    10.2
    Since I'm behind Cloudflare, I will just wait for Nginx 1.9.10 to recompile with this update :).
     
Previous Thread Next Thread
Loading...

.