Welcome to Centmin Mod Community
Register Now

Security LibreSSL 2.2.6 Security Fix Release

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 29, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:10 AM
    Nginx 1.13.x
    MariaDB 5.5

    Centmin Mod 1.2.3-eva2000.08+ LibreSSL 2.2.6



    LibreSSL 2.2.6 is now the stable release with a few bug and security fixes for following:

    Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.2.6 for new fresh installs. For existing folks, follow below update instructions.

    While Centmin Mod 1.2.3-eva2000.07 stable used OpenSSL for Nginx compile, Centmin Mod .08+ has switched from OpenSSL to LibreSSL, so no longer is reliant on OpenSSL for Nginx. Full details of Nginx + LibreSSL here.

    Centmin Mod Nginx Update LibreSSL



    For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.2.6 via 2 steps.

    Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.2.5. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.2.6' set.

    If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh

    from
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.5'   # Use this version of LibreSSL http://www.libressl.org/
    to
    Code:
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.2.6'   # Use this version of LibreSSL http://www.libressl.org/
    or can do it via sed replacement on centmin.sh within centmin mod directory

    Code:
    cmdir
    sed -i "s|LIBRESSL_VERSION='2.2.5'|LIBRESSL_VERSION='2.2.6'|g" centmin.sh
    grep LIBRESSL_VERSION centmin.sh
    Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.9.10.

    For example after recompile Nginx version output will show built with LibreSSL 2.2.6

    for 123.08 stable
    for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

    LibreSSL 2.2.6



    You'll find latest LibreSSL 2.2.6 on official site.
     
    Last edited: Jan 29, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:10 AM
    Nginx 1.13.x
    MariaDB 5.5
    Alternatively, to update Centmin Mod Nginx, read instructions here or below.

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

    Upgrading Centmin Mod Code to Latest Version



    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at Upgrade - How to upgrade Centmin Mod. In this case after updating Centmin Mod code, read instructions here and run centmin.sh menu option 4 to recompile Nginx which already has centmin.sh variable updated to 2.2.6
      Code:
      LIBRESSL_VERSION='2.2.6'
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:10 AM
    Nginx 1.13.x
    MariaDB 5.5
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code:
    nginx -V
    If using LibreSSL, built with line will list such
    Code:
    nginx -V
    nginx version: nginx/1.9.10
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.2.6
    If using OpenSSL, built with line will list such
    Code:
    nginx -V          
    nginx version: nginx/1.9.10
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with OpenSSL 1.0.2f  28 Jan 2016
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:10 AM
    Nginx 1.13.x
    MariaDB 5.5
    Note Centmin Mod 123.09beta01 implemented LibreSSL geo location mirror mapping https://community.centminmod.com/posts/24955/

    So not all mirrors for LibreSSL listed at Getting OpenBSD have 2.2.6 LibreSSL version populated yet.

    FYI, just updated 123.09beta01 with mirror checking routine for LibreSSL so if the mirror url doesn't have the LibreSSL version populated it will fall back to main download link.

    Example, My Virtualbox server located in Australia detected AU mirror but fellback to main USA download link as Australian mirror doesn't have the LibreSSL version
    Code:
    AU server detected
    Download libressl-2.2.6.tar.gz ...
    Initializing download: http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.6.tar.gz
    File size: 2965531 bytes
    Opening output file libressl-2.2.6.tar.gz
    Starting download
    
    Connection 2 finished                                                          ]
    Connection 3 finished                                                          ]
    Connection 1 finished                                                          ]
    Connection 0 finished                                                          ]
    
    Downloaded 2.8 Megabyte in 4 seconds. (602.36 KB/s)
    Download done.
    libressl-2.2.6.tar.gz valid file.
     
    Last edited: Jan 29, 2016
  5. eva2000

    eva2000 Administrator Staff Member

    30,191
    6,788
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,142
    Local Time:
    3:10 AM
    Nginx 1.13.x
    MariaDB 5.5
Thread Status:
Not open for further replies.