Welcome to Centmin Mod Community
Become a Member

Security OpenSSL 1.0.2a, 1.0.1m, 1.0.0r & 0.9.8zf coming soon

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Mar 17, 2015.

  1. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:22 AM
    Mainline
    10.2
    Based on my _nginx_upgrade.log, I don't see any 404 or not found phrase :).

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    if you get broken downloads, upgrade would of aborted before end of upgrade :)

    if upgrade completed = all okay
     
    Last edited: Mar 20, 2015
  3. Steve Tozer

    Steve Tozer Member

    70
    42
    18
    Jul 28, 2014
    South Wales, UK
    Ratings:
    +49
    Local Time:
    9:22 PM
    1.91
    10.0.19
    Happened to me, Ran the upgrade again, worked next time round lol
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat/CentOS bugzilla and info starting to show up OpenSSL Updates of 19 March 2015 - Red Hat Customer Portal

    One of the high severity CVE is CVE-2015-0291
    This bug doesn't affect Redhat/CentOS 5, 6 or 7 apparently !

    More info at OpenSSL Updates of 19 March 2015 - Red Hat Customer Portal

    Red Hat Enterprise Linux 5
    CVE Red Hat Enterprise Linux 5 package: openssl Red Hat Enterprise Linux 5 package: openssl097a
    CVE-2015-0286 not affected not affected
    CVE-2015-0287 deferred deferred
    CVE-2015-0289 deferred deferred
    CVE-2015-0292 deferred deferred
    CVE-2015-0293 deferred deferred
    CVE-2015-0288 deferred deferred
    CVE-2015-0291 not affected not affected
    CVE-2015-0290 not affected not affected
    CVE-2015-0207 not affected not affected
    CVE-2015-0208 not affected not affected
    CVE-2015-1787 not affected not affected
    CVE-2015-0285 not affected not affected
    CVE-2015-0209 not affected not affected

    Red Hat Enterprise Linux 6
    CVE Red Hat Enterprise Linux 6 package: openssl Red Hat Enterprise Linux 6 package: openssl098e
    CVE-2015-0286 affected not affected
    CVE-2015-0287 affected deferred
    CVE-2015-0289 affected deferred
    CVE-2015-0292 affected deferred
    CVE-2015-0293 affected deferred
    CVE-2015-0288 affected deferred
    CVE-2015-0291 not affected not affected
    CVE-2015-0290 not affected not affected
    CVE-2015-0207 not affected not affected
    CVE-2015-0208 not affected not affected
    CVE-2015-1787 not affected not affected
    CVE-2015-0285 not affected not affected
    CVE-2015-0209 affected not affected

    Red Hat Enterprise Linux 7
    CVE Red Hat Enterprise Linux 7 package: openssl Red Hat Enterprise Linux 7 package: openssl098e
    CVE-2015-0286 affected not affected
    CVE-2015-0287 affected deferred
    CVE-2015-0289 affected deferred
    CVE-2015-0292 affected deferred
    CVE-2015-0293 affected deferred
    CVE-2015-0288 affected deferred
    CVE-2015-0291 not affected not affected
    CVE-2015-0290 not affected not affected
    CVE-2015-0207 not affected not affected
    CVE-2015-0208 not affected not affected
    CVE-2015-1787 not affected not affected
    CVE-2015-0285 not affected not affected
    CVE-2015-0209 affected not affected
     
    Last edited: Mar 20, 2015
  5. deltahf

    deltahf Premium Member Premium Member

    586
    264
    63
    Jun 8, 2014
    Ratings:
    +487
    Local Time:
    4:22 PM
    Nice to see CentOS was unaffected (yay CentOS!).

    Nevertheless, just completed the upgrade and all went well. Thanks for the easy instructions. :)
     
  6. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    117
    15
    18
    Oct 20, 2014
    Ratings:
    +33
    Local Time:
    4:22 PM
    1.8.0
    5.6
    Oddly, when I run yum update, it doesn't find an openssl update, but the server is still on 1.0.1e.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah no updated OpenSSL YUM packages yet
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Heads up OpenSSL 1.0.1e-30.el6_6.7 update via YUM is available now if you didn't already use yum-cron for auto updates.

    Code:
    yum list updates -q | grep openssl
    openssl.x86_64                           1.0.1e-30.el6_6.7             updates
    openssl-devel.x86_64                     1.0.1e-30.el6_6.7             updates  
    Code:
    rpm -qa --changelog openssl | head -n11
    * Thu Mar 19 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.7
    - update fix for CVE-2015-0287 to what was released upstream
    
    * Wed Mar 18 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30.6
    - fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
    - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
    - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
    - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
    - fix CVE-2015-0292 - integer underflow in base64 decoder
    - fix CVE-2015-0293 - triggerable assert in SSLv2 server
    To update
    Code:
    yum -y update
    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.
     
  9. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:22 AM
    Mainline
    10.2
    By the way, How can I replace my entire openssl from axivo repo to the default repo?
    I don't care if it's not the latest stable version as long as it's always updated with security update.
     
  10. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:22 AM
    Mainline
    10.2
    Tried this command but not working.
    Code:
    # yum reinstall openssl
    Loaded plugins: downloadonly, fastestmirror, priorities, security
    Setting up Reinstall Process
    Loading mirror speeds from cached hostfile
    * base: centos.bhs.mirrors.ovh.net
    * epel: mirror.steadfast.net
    * extras: centos.bhs.mirrors.ovh.net
    * rpmforge: mirror.lug.udel.edu
    * updates: mirror.gpmidi.net
    1640 packages excluded due to repository priority protections
    Installed package 1:openssl-1.0.1j-1.el6.x86_64 (from axivo) not available.
    Error: Nothing to do
    
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    might want to ask @Floren to be 100% sure it's properly replaced
     
  12. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:22 AM
    Mainline
    10.2
    I tried this command:
    Code:
    # yum install openssl-1.0.1e-30.el6_6.7
    Loaded plugins: downloadonly, fastestmirror, priorities, security
    Setting up Install Process
    Loading mirror speeds from cached hostfile
    * base: centos.bhs.mirrors.ovh.net
    * epel: mirror.steadfast.net
    * extras: centos.bhs.mirrors.ovh.net
    * rpmforge: mirror.lug.udel.edu
    * updates: mirror.gpmidi.net
    1640 packages excluded due to repository priority protections
    Package matching openssl-1.0.1e-30.el6_6.7.x86_64 already installed. Checking for update.
    Nothing to do
    
    So I have two versions of openssl installed? :?
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you can try https://www.axivo.com/resources/repository-setup.1/update?update=20 but not idea if it will screw up your system as openssl is tightly integrated
     
  14. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:22 AM
    Mainline
    10.2
    Code:
    # yum -q list openssl*
    Installed Packages
    openssl.x86_64                                                              1:1.0.1j-1.el6                                                          @axivo
    openssl-devel.x86_64                                                        1:1.0.1j-1.el6                                                          @axivo
    openssl-libs.x86_64                                                         1:1.0.1j-1.el6                                                          @axivo
    Available Packages
    openssl-perl.x86_64                                                         1.0.1e-30.el6_6.7                                                       updates
    openssl-static.x86_64                                                       1.0.1e-30.el6_6.7                                                       updates
    openssl098e.x86_64                                                          0.9.8e-18.el6_5.2                                                       base
    
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    so you installed default packages yet ?
     
  16. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:22 AM
    Mainline
    10.2
    All of the openssl package installed are from axivo repo.
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  18. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:22 AM
    Mainline
    10.2
  19. eva2000

    eva2000 Administrator Staff Member

    54,357
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    7:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks like OpenSSL 1.02b is coming soon '[openssl-announce] Forthcoming OpenSSL releases' - MARC