Learn about Centmin Mod LEMP Stack today
Become a Member

Security LibreSSL 2.3.4 Released

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Mar 23, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Centmin Mod 1.2.3-eva2000.08+ LibreSSL 2.3.4



    LibreSSL 2.3.4 is now the stable release http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.4-relnotes.txt:

    Centmin Mod 123.08stable and 123.09beta01 Github branches corresponding to Centmin Mod 1.2.3-eva2000.08 stable and Centmin Mod 1.2.3-eva2000.09 beta01 have been updated to default to LibreSSL 2.3.4 for new fresh installs. For existing folks, follow below update instructions.

    Centmin Mod Nginx Update LibreSSL



    For Centmin Mod 1.2.3-eva2000.08 beta03, .08 stable and higher you can update to LibreSSL 2.3.4 via 2 steps.

    Step 1. Updating centmin.sh LIBRESSL_VERSION variable to 2.3.4. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. That will auto update centmin.sh to latest version which already has LIBRESSL_VERSION='2.3.4' set.

    If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh

    from
    Code (Text):
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.3.3'   # Use this version of LibreSSL http://www.libressl.org/


    to
    Code (Text):
    # LibreSSL
    LIBRESSL_SWITCH='y'        # if set to 'y' it overrides OpenSSL as the default static compiled option for Nginx server
    LIBRESSL_VERSION='2.3.4'   # Use this version of LibreSSL http://www.libressl.org/


    or can do it via sed replacement on centmin.sh within centmin mod directory


    Code (Text):
    cmdir
    sed -i "s|LIBRESSL_VERSION='2.3.3'|LIBRESSL_VERSION='2.3.4'|g" centmin.sh
    grep LIBRESSL_VERSION centmin.sh


    Step 2. Then select centmin.sh menu option #4 to upgrade/downgrade Nginx recompile Nginx and specify latest Nginx version i.e. 1.9.15.

    For example after recompile Nginx version output will show built with LibreSSL 2.3.4

    for 123.09 beta01 with NGINXMODULE_ALTORDER=y enabled

    LibreSSL 2.3.4



    You'll find latest LibreSSL 2.3.4 on official site.
     
    Last edited: May 4, 2016
  2. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Alternatively, to update Centmin Mod Nginx, read instructions here or below.

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

    Upgrading Centmin Mod Code to Latest Version



    Upgrading Centmin Mod involves 2 parts.
    1. Upgrading the actual Centmin Mod code outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS This is heart of Centmin Mod where the code is the engine that runs centmin.sh shell based menu and all the automation you're accustomed to.
    2. Upgrade software that Centmin Mod installed or manages. For this part following outline at Upgrade - How to upgrade Centmin Mod. In this case after updating Centmin Mod code, read instructions here and run centmin.sh menu option 4 to recompile Nginx which already has centmin.sh variable updated to 2.3.4
      Code (Text):
      LIBRESSL_VERSION='2.3.4'
     
    Last edited: May 4, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code (Text):
    nginx -V


    If using LibreSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.9.15
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.3.4


    If using OpenSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.9.15
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
    built with OpenSSL 1.0.2h  1 Mar 2016
    
     
    Last edited: May 4, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+

    Update for LibreSSL downloads and LibreSSL 2.3.4



    Updated both Centmin Mod 123.08stable and 123.09beta01 builds to update LibreSSL version to 2.3.4 as well as update the LibreSSL download url mirror as the old defined mirror is down. Without updating your Centmin Mod branch version to latest code, Nginx upgrade, downgrade and recompiles via centmin.sh menu option 4 will fail to properly install and compile Nginx.

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Another reminder to update Centmin Mod branch code and then to update to LibreSSL 2.3.4 or OpenSSL 1.0.2h for centmin.sh menu option 4 based nginx recompile as outlined above and to double check via tool at Test your server for yet another CBC padding oracle (CVE-2016-2107) that your HTTPS based web sites are secure and not vulerable to CVE-2016-2107.

    Checking various web sites I visit (mainly non-centmin mod nginx based), not everyone has patched the CVE-2016-2107 vulnerability still ! Several other web stack installers out there that do similar Centmin Mod Nginx installers are also running vulnerable versions so just double check folks !

    There's also a command line version of CVE-2016-2107 checker written in golang and requires golang v1.6+ at GitHub - FiloSottile/CVE-2016-2107: Simple test for the May 2016 OpenSSL padding oracle (CVE-2016-2107)
    Code (Text):
    which CVE-2016-2107
    /root/golang/packages/bin/CVE-2016-2107

    checking my own sites should be fixed and return Vulnerable: false. If returns true, then the site is still vulnerable to security flaws from CVE-2016-2107
    Code (Text):
    CVE-2016-2107 centminmod.com
    2016/06/02 15:59:20 Vulnerable: false
    

    Code (Text):
    CVE-2016-2107 community.centminmod.com
    2016/06/02 16:00:19 Vulnerable: false
    
     
    Last edited: Jun 3, 2016
  8. eva2000

    eva2000 Administrator Staff Member

    54,098
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    12:57 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
Thread Status:
Not open for further replies.