Welcome to Centmin Mod Community
Become a Member

Security LibreSSL 2.2.5 Released Security Fixes

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Dec 12, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    28,973
    6,576
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,760
    Local Time:
    11:16 PM
    Nginx 1.13.x
    MariaDB 5.5

    Centmin Mod 1.2.3-eva2000.08+ LibreSSL 2.2.5



    LibreSSL 2.2.5 is now the stable release with a few bug and security fixes for following:

    Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.2.5 for new fresh installs. For existing folks, follow below update instructions.

    While Centmin Mod 1.2.3-eva2000.07 stable used OpenSSL for Nginx compile, Centmin Mod .08+ has switched from OpenSSL to LibreSSL, so no longer is reliant on OpenSSL for Nginx. Full details of Nginx + LibreSSL here.

    Centmin Mod Nginx Update LibreSSL



    For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.2.5 via 2 steps.

    Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.2.5. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.2.5' set.

    If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh

    from
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.4'   # Use this version of LibreSSL http://www.libressl.org/
    to
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.5'   # Use this version of LibreSSL http://www.libressl.org/
    or can do it via sed replacement on centmin.sh within centmin mod directory

    Code:
    cmdir
    sed -i "s|LIBRESSL_VERSION='2.2.4'|LIBRESSL_VERSION='2.2.5'|g" centmin.sh
    grep LIBRESSL_VERSION centmin.sh
    Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.9.9.

    For example after recompile Nginx version output will show built with LibreSSL 2.2.5

    for 123.08 stable
    for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

    LibreSSL 2.2.5



    You'll find latest LibreSSL 2.2.5 on official site.
     
    • Informative Informative x 1
  2. Sunka

    Sunka Active Member

    888
    230
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +376
    Local Time:
    3:16 PM
    Nginx 1.13.3
    MariaDB 10.1.24
    Thanks @eva2000

    Code:
    nginx -V
    nginx version: nginx/1.9.9
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.2.5
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-c++11-extensions -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --with-openssl-opt=enable-tlsext --add-module=../nginx-module-vts --with-libatomic --with-threads --with-stream --with-stream_ssl_module --with-http_gzip_static_module --add-module=../ngx_pagespeed-release-1.9.32.11-beta --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-http_realip_module --add-module=../nginx-accesskey-2.0.3 --add-module=../nginx-http-concat-master --add-module=../ngx-fancyindex-ngx-fancyindex --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.2.19 --add-module=../set-misc-nginx-module-0.29 --add-module=../echo-nginx-module-0.58 --add-module=../redis2-nginx-module-0.12 --add-module=../ngx_http_redis-0.3.7 --add-module=../lua-nginx-module-0.9.19 --add-module=../lua-upstream-nginx-module-0.04 --add-module=../lua-upstream-cache-nginx-module-0.1.1 --add-module=../nginx_upstream_check_module-0.3.0 --add-module=../openresty-memc-nginx-module-4f6f78f --add-module=../openresty-srcache-nginx-module-ffa9ab7 --add-module=../headers-more-nginx-module-0.28 --with-pcre=../pcre-8.38 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.2.5
     
    • Like Like x 1
  3. RoldanLT

    RoldanLT Well-Known Member

    3,829
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    9:16 PM
    1.11
    10.2
    Since I'm behind Cloudflare, I will just wait for Nginx 1.9.10 to recompile with this update :).