Join the community today
Become a Member

Security OpenSSL 1.0.h & Updating Centmin Mod Nginx SSL Support

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 26, 2016.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5

    OpenSSL 1.0.2h Release Information



    Update: For CentOS 6, the openssl update is not available in main repo, you need to update openssl via CR YUM repo as instructed here. CentOS 7, has openssl updated package in main repo. Still for Centmin Mod Nginx users, follow below instructions to recompile Nginx statically with OpenSSL 1.0.2H.

    OpenSSL folks are releasing OpenSSL 1.0.2h and 1.0.1t security updates on May 3, 2016 https://www.openssl.org/news/secadv/20160503.txt
    • Memory corruption in the ASN.1 encoder (CVE-2016-2108)
    • Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
    • EVP_EncodeUpdate overflow (CVE-2016-2105)
    • ASN.1 BIO excessive memory allocation (CVE-2016-2109)
    • EBCDIC overread (CVE-2016-2176)
    Cloudflare's coverage at Yet Another Padding Oracle in OpenSSL CBC Ciphersuites

    Notes:


    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2h, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.3 branch.

    Centmin Mod LEMP Upgrade OpenSSL 1.0.2h



    For Centmin Mod LEMP stack 1.2.3-eva2000.08 stable and higher, there's 2 parts to updating OpenSSL - system YUM package back ported update + Nginx OpenSSL static compilation for front facing Nginx server and https/SSL. Updating to OpenSSL 1.0.2h is the exact same approach as outlined at Nginx - Updating OpenSSL 1.0.1K for Centmin Mod

    For Centmin Mod 1.2.3-eva2000.08 stable (123.08stable) and higher (including betas) you need to do 2 updates:
    1. System OpenSSL update for CentOS
    2. Nginx recompile with OPENSSL_VER='1.0.2h' specified in centmin.sh
    Centmin Mod Nginx doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version.

    Code (Text):
     ldd `which nginx` | grep ssl


    will come back empty for Centmin Mod Nginx based servers.

    System OpenSSL update for CentOS



    Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.

    Also sometimes Redhat or CentOS system versions won't be affected by the OpenSSL source listed bugs/security issues. You have to read each CVE* listing on Red Hat and CentOS bug trackers to see if they apply or not.

    CentOS/Redhat system OpenSSL updates

    Seems CentOS YUM OpenSSL updates are out too

    CentOS 7
    Code (Text):
    x86_64:
    openssl-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 486935fa051d0d42321c1d0808ea9da9
    SHA-256: 3f23269184ec9a439c321612b4c1912a2901e97c84241f015983b37585fc62c3
    openssl-debuginfo-1.0.1e-51.el7_2.5.i686.rpm  MD5: f9ba6b53ffb5f4f75f0eff02c6c52fec
    SHA-256: 0bf4fa5224e61161425bd457108d190b9f0a6540e35f5bcdefb0165b09860094
    openssl-debuginfo-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 27638e96b1a438492be252c1569c9512
    SHA-256: cd57130a51fb3154de225841cd85a47c6178f4c9d7bc671f6a65b3eff5911093
    openssl-devel-1.0.1e-51.el7_2.5.i686.rpm  MD5: f9b0e0a95a1bf8155699f67ebfa5388b
    SHA-256: a3172e8c2dc81e3abd1fe2b67f02edcc62eb5d134d2c40dfcfe11c272c08d2e3
    openssl-devel-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 84b945b20d104983f21ac9bafd971c64
    SHA-256: e81f1c4ab8466da47848ef5fe3a0950e4e523449d930d3776fac06caa3bd79d7
    openssl-libs-1.0.1e-51.el7_2.5.i686.rpm  MD5: d94bcbde1ceb9401de77f88ccbcf6eb8
    SHA-256: aa94a646bbed2300ac61f0c4ffc83f851fe6f91cdd02590cd82d8bc8fa2d79f0
    openssl-libs-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: e5a5105625be0dfd17d8b3e6f34a0ca9
    SHA-256: 74924fe4eb14b347f10fc05fec12552e24b026c112bf7dd01f64f30f9c9e6c4e
    openssl-perl-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 758b2fd9658b22bdbb4a68ec7b5fc80c
    SHA-256: 3fd5719b4a574d7e1ebe075b053f307f137545cb2200069db7a0905e93df0667
    openssl-static-1.0.1e-51.el7_2.5.i686.rpm  MD5: 5b16269e14d5082cb5d964c4b60e0bdf
    SHA-256: 1c12692d8ad4943104bee5eff3f0fd6c8015bf904ba5ae400b243adfcb723c85
    openssl-static-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: a14b79d8ddd43ad46dd868d25514fb03
    SHA-256: b9006b2415addbc8896e3d2094b09aab09727503afc1a2be52fe75b48b854976
    


    CentOS 6
    Code (Text):
    x86_64:
    openssl-1.0.1e-48.el6_8.1.i686.rpm        MD5: 676ac665893143f3dd0b8e46ced90c62
    SHA-256: 8f2673110435b897601705e5dc627e53dfbd69e353eb5d587c55f99235323aa8
    openssl-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: 3424c88954b924a270fa412878d7ad51
    SHA-256: 8ac3fd5c32595f03db1ae25c3aea3a30808c2eaee16e74f5d5a455b260a85d45
    openssl-debuginfo-1.0.1e-48.el6_8.1.i686.rpm        MD5: e223980093b14d1f6f6105e9a02b0caf
    SHA-256: 1469641b06a6f14a6beec96d6f9e6f7fd4979224c5d26d6ebf9bd2169797618d
    openssl-debuginfo-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: 6bbda7e31c915f7f842399d57f703502
    SHA-256: c801955c2e48c34b3aa7fdf423525787831e7a779a62d560aa86496affade590
    openssl-devel-1.0.1e-48.el6_8.1.i686.rpm        MD5: 70b4852522e588bfe296e094573b185f
    SHA-256: a7d02153c2e4fd2be9830e9e6965a5172a7e1c725b479be6cafac076b8270a59
    openssl-devel-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: 6af45f9a6e1174cf5786765aeb27a201
    SHA-256: 98330e4227797ec8e1b3047664a9f1eaa4c3240253500f742f1400372dcde58e
    openssl-perl-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: dd7b67239e054a62735e23fecd025690
    SHA-256: 1c2fc374b94a273de6047453a4c384afa71a2198bd2c9271297608e72a60e5a2
    openssl-static-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: a67b59c14198f16240aa254b31c868b3
    SHA-256: e062775e4e365e95ec95afe6c1ef0df76425ec21747039a7dce4696b291fe10e


    For CentOS 7
    Code (Text):
    rpm -qa --changelog openssl | head -n8
    openssl-1.0.1e-51.el7_2.5.x86_64
    

    Code (Text):
    rpm -qa --changelog openssl | head -n8
    * Fri Apr 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.5
    - fix CVE-2016-2105 - possible overflow in base64 encoding
    - fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
    - fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
    - fix CVE-2016-2108 - memory corruption in ASN.1 encoder
    - fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
    - fix CVE-2016-0799 - memory issues in BIO_printf
    


    For CentOS 6 you need to update openssl via CR YUM repo as instructed here.
    Code (Text):
    rpm -qa --changelog openssl | head -n9
    


    For auto daily updates check out yum-cron for auto updates.

    Code (Text):
    yum list updates -q | grep openssl
    


    Code (Text):
    rpm -qa --changelog openssl | head -n11
    


    To update
    Code (Text):
    yum -y update

    Note: after system update you need to reboot your server to ensure all services which use OpenSSL also use the updated version.

    Nginx recompile with OPENSSL_VER='1.0.2h'



    • Prior to Feb 25th, 2016, Centmin Mod Nginx from 1.2.3-eva2000.08 (123.08stable) onwards by default are compiled against LibreSSL 2.2 instead of OpenSSL 1.0.2h, so generally don't need updating for Centmin Mod Nginx side. But CentOS system OpenSSL may need updates.
    • After Feb 25th, 2016, Centmin Mod 123.08stable version of Nginx has switched back to being compiled against OpenSSL 1.0.2+ for out of box defaults due to Nginx 1.9.12 compatibility issues with LibreSSL. While 123.09beta01 has switched back to LibreSSL 2.3 branch.
    To update if you are using OpenSSL and not the prior default Centmin Mod Nginx LibreSSL, edit your centmin.sh file variable for OPENSSL_VERSION. There's 2 ways to do that:
    1. Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at https://community.centminmod.com/threads/new-08-beta-menu-option-updating-centmin-mod-via-git.3084/. If Centmin Mod code has been updated, that method will auto update centmin.sh to latest version which already has OPENSSL_VERSION='1.0.2h' set. After updating via git centmin.sh menu option 23 submenu options, verify in centmin.sh that OPENSSL_VERSION='1.0.2h' is set.
    2. If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup or if centmin.sh doesn't have OPENSSL_VERSION='1.0.2h' set, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh and

    change
    Code (Text):
    OPENSSL_VERSION='1.0.2g'
    

    to
    Code (Text):
    OPENSSL_VERSION='1.0.2h'
    

    Then save centmin.sh. Then run centmin.sh

    or use sed to replace 1.0.2g to 1.0.2h
    Code (Text):
    sed -i "s/OPENSSL_VERSION='1.0.2g'/OPENSSL_VERSION='1.0.2h'/" centmin.sh

    check if OPENSSL_VERSION='1.0.2h'
    Code (Text):
    grep ^OPENSSL centmin.sh
    OPENSSL_VERSION='1.0.2h'   # Use this version of OpenSSL

    Code (Text):
    ./centmin.sh
    

    1. select menu option #4 to upgrade/downgrade Nginx
    2. when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here ;) )
    3. then when prompted specify Nginx version = 1.9.15
    4. let Nginx recompile run to completion, it should say Nginx installed successfully
    5. Check if Nginx compiled against 1.0.2h using Nginx -V command
     
    Last edited: May 21, 2016
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    You can tell if your Centmin Mod Nginx is using OpenSSL or LibreSSL via output of SSH command
    Code (Text):
    nginx -V


    If using LibreSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.9.15
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with LibreSSL 2.3.4


    If using OpenSSL, built with line will list such
    Code (Text):
    nginx -V
    nginx version: nginx/1.9.15
    built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
    built with OpenSSL 1.0.2h  1 Mar 2016
    
     
    Last edited: May 4, 2016
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5

    OpenSSL Security Updates



    Updated both Centmin Mod 123.08stable and 123.09beta01 builds for nginx build openssl to 1.0.2h version which has security fixes. You'll need to update Centmin Mod code on your server via centmin.sh menu option 23 submenu option 2 and then run centmin.sh menu option 4 to recompile Nginx to use updated openssl 1.0.2h. Full instructions outlined at Security - OpenSSL 1.0.h & Updating Centmin Mod Nginx SSL Support | Centmin Mod Community

    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
     
    • Like Like x 2
  4. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
  5. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Informative Informative x 1
  6. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    For Redhat/CentOS Resolution for CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 (OpenSSL May 3, 2016) - Red Hat Customer Portal system OpenSSL related updates
    example
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    Another take on one of the specific and more severe OpenSSL vulnerabilities at On Web-Security and -Insecurity: Curious Padding oracle in OpenSSL (CVE-2016-2107)

    And we learn for CVE-2016-2107 the fix was just 6 simple lines of code Check that we have enough padding characters. · openssl/openssl@70428ea · GitHub !
     
    • Informative Informative x 1
  8. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
  9. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    More coverage OpenSSL Vulnerabilities: Takeaways from the Latest Updates
     
  10. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    CentOS 7 got openssl system update but no update yet for CentOS 6

    from Resolution for CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 (OpenSSL May 3, 2016) - Red Hat Customer Portal

    Code (Text):
    x86_64:
    openssl-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 486935fa051d0d42321c1d0808ea9da9
    SHA-256: 3f23269184ec9a439c321612b4c1912a2901e97c84241f015983b37585fc62c3
    openssl-debuginfo-1.0.1e-51.el7_2.5.i686.rpm  MD5: f9ba6b53ffb5f4f75f0eff02c6c52fec
    SHA-256: 0bf4fa5224e61161425bd457108d190b9f0a6540e35f5bcdefb0165b09860094
    openssl-debuginfo-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 27638e96b1a438492be252c1569c9512
    SHA-256: cd57130a51fb3154de225841cd85a47c6178f4c9d7bc671f6a65b3eff5911093
    openssl-devel-1.0.1e-51.el7_2.5.i686.rpm  MD5: f9b0e0a95a1bf8155699f67ebfa5388b
    SHA-256: a3172e8c2dc81e3abd1fe2b67f02edcc62eb5d134d2c40dfcfe11c272c08d2e3
    openssl-devel-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 84b945b20d104983f21ac9bafd971c64
    SHA-256: e81f1c4ab8466da47848ef5fe3a0950e4e523449d930d3776fac06caa3bd79d7
    openssl-libs-1.0.1e-51.el7_2.5.i686.rpm  MD5: d94bcbde1ceb9401de77f88ccbcf6eb8
    SHA-256: aa94a646bbed2300ac61f0c4ffc83f851fe6f91cdd02590cd82d8bc8fa2d79f0
    openssl-libs-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: e5a5105625be0dfd17d8b3e6f34a0ca9
    SHA-256: 74924fe4eb14b347f10fc05fec12552e24b026c112bf7dd01f64f30f9c9e6c4e
    openssl-perl-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: 758b2fd9658b22bdbb4a68ec7b5fc80c
    SHA-256: 3fd5719b4a574d7e1ebe075b053f307f137545cb2200069db7a0905e93df0667
    openssl-static-1.0.1e-51.el7_2.5.i686.rpm  MD5: 5b16269e14d5082cb5d964c4b60e0bdf
    SHA-256: 1c12692d8ad4943104bee5eff3f0fd6c8015bf904ba5ae400b243adfcb723c85
    openssl-static-1.0.1e-51.el7_2.5.x86_64.rpm  MD5: a14b79d8ddd43ad46dd868d25514fb03
    SHA-256: b9006b2415addbc8896e3d2094b09aab09727503afc1a2be52fe75b48b854976
    


    For CentOS 7
    Code (Text):
    rpm -qa --changelog openssl | head -n8
    openssl-1.0.1e-51.el7_2.5.x86_64
    

    Code (Text):
    rpm -qa --changelog openssl | head -n8
    * Fri Apr 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.5
    - fix CVE-2016-2105 - possible overflow in base64 encoding
    - fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
    - fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
    - fix CVE-2016-2108 - memory corruption in ASN.1 encoder
    - fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
    - fix CVE-2016-0799 - memory issues in BIO_printf
    


    to update
    Code (Text):
    yum -y update --enablerepo=remi --disableplugin=priorities
     
    Last edited: May 11, 2016
  11. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    CentOS 6 openssl system updates released by Redhat 6 but CentOS 6 patch complicated OpenSSL CVE-2016-2108 - Page 2 - CentOS

    and OpenSSL CVE-2016-2108 - Page 2 - CentOS

    from Resolution for CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176 (OpenSSL May 3, 2016) - Red Hat Customer Portal

    Code (Text):
    x86_64:
    openssl-1.0.1e-48.el6_8.1.i686.rpm        MD5: 676ac665893143f3dd0b8e46ced90c62
    SHA-256: 8f2673110435b897601705e5dc627e53dfbd69e353eb5d587c55f99235323aa8
    openssl-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: 3424c88954b924a270fa412878d7ad51
    SHA-256: 8ac3fd5c32595f03db1ae25c3aea3a30808c2eaee16e74f5d5a455b260a85d45
    openssl-debuginfo-1.0.1e-48.el6_8.1.i686.rpm        MD5: e223980093b14d1f6f6105e9a02b0caf
    SHA-256: 1469641b06a6f14a6beec96d6f9e6f7fd4979224c5d26d6ebf9bd2169797618d
    openssl-debuginfo-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: 6bbda7e31c915f7f842399d57f703502
    SHA-256: c801955c2e48c34b3aa7fdf423525787831e7a779a62d560aa86496affade590
    openssl-devel-1.0.1e-48.el6_8.1.i686.rpm        MD5: 70b4852522e588bfe296e094573b185f
    SHA-256: a7d02153c2e4fd2be9830e9e6965a5172a7e1c725b479be6cafac076b8270a59
    openssl-devel-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: 6af45f9a6e1174cf5786765aeb27a201
    SHA-256: 98330e4227797ec8e1b3047664a9f1eaa4c3240253500f742f1400372dcde58e
    openssl-perl-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: dd7b67239e054a62735e23fecd025690
    SHA-256: 1c2fc374b94a273de6047453a4c384afa71a2198bd2c9271297608e72a60e5a2
    openssl-static-1.0.1e-48.el6_8.1.x86_64.rpm        MD5: a67b59c14198f16240aa254b31c868b3
    SHA-256: e062775e4e365e95ec95afe6c1ef0df76425ec21747039a7dce4696b291fe10e


    Not yet available in yum repo though

    For CentOS 6
    Code (Text):
    rpm -qa openssl
    TBA
    

    Code (Text):
    rpm -qa --changelog openssl | head -n10
    TBA
    


    to update
    Code (Text):
    yum -y update --enablerepo=remi --disableplugin=priorities
     
    Last edited: May 14, 2016
  12. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: May 15, 2016
    • Informative Informative x 2
  13. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
  14. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    Divergent paths for CentOS 6 openssl system rpm vs Redhat 6 released openssl rpm fix :(

    openssl system updates released by Redhat 6 but CentOS 6 patch complicated OpenSSL CVE-2016-2108 - Page 2 - CentOS

    and OpenSSL CVE-2016-2108 - Page 2 - CentOS

    and [CentOS] 6.8 CR Packages

    and [CentOS-devel] missing important EL6 patch for qemu CVE-2016-3710 ?
    info on CentOS CR repo usage at Third Party YUM Repos with Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS and announcements of CR package availability at The CentOS-CR-announce Archives

    for CentOS 6 CR yum repo isn't installed by default like CentOS 7. So if on CentOS 6 install CR yum repo first
    Code (Text):
    yum -y install centos-release-cr
    sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/CentOS-CR.repo
    echo "priority=1" >> /etc/yum.repos.d/CentOS-CR.repo
    

    So when CR repo has the updated openssl for CentOS 6.x it will listed via command which also enables CR repo
    Code (Text):
    yum list updates --disableplugin=priorities --enablerepo=remi,cr

    updated via
    Code (Text):
    yum -y update openssl openssl-devel --disableplugin=priorities --enablerepo=remi,cr

    Definitely sounds like CentOS 7.x is the future rather than 6.x
     
    Last edited: May 19, 2016
    • Informative Informative x 1
  15. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    From previous post, CentOS 6 update fix for openssl system package update and testing has delays due to CentOS work on CentOS 6.8 release and a problem with Redhat source RPM (SRPM) package so will need to wait for CentOS Continuous Release YUM repo availability of openssl-1.0.1e-48 version.

    Rather than waiting, I thought I'd rebuild the Redhat SRPM package myself for CentOS 6.x 64bit only versions and see.

    The actual packages for CentOS 6 64bit rebuilt from Redhat SRPM
    Code (Text):
    ls -1 RPMS/x86_64/                       
    openssl-1.0.1e-48.el6.1.x86_64.rpm
    openssl-debuginfo-1.0.1e-48.el6.1.x86_64.rpm
    openssl-devel-1.0.1e-48.el6.1.x86_64.rpm
    openssl-perl-1.0.1e-48.el6.1.x86_64.rpm
    openssl-static-1.0.1e-48.el6.1.x86_64.rpm
    

    After installing the rebuilt openssl and openssl-devel versions
    Code (Text):
    yum list openssl openssl-devel -q
    Installed Packages
    openssl.x86_64               1.0.1e-48.el6.1      @/openssl-1.0.1e-48.el6.1.x86_64   
    openssl-devel.x86_64         1.0.1e-48.el6.1      @/openssl-devel-1.0.1e-48.el6.1.x86_64
    

    Code (Text):
    yum history info 32
    Loaded plugins: fastestmirror, priorities, security
    Transaction ID : 32
    Begin time     : Sun May 15 03:47:49 2016
    Begin rpmdb    : 607:2a5a4da719647b5c76c2a1a12f63862ff903c433
    End time       :            03:47:51 2016 (2 seconds)
    End rpmdb      : 607:37df97150829069a7fc3b1bd13706e8001fda181
    User           : root <root>
    Return-Code    : Success
    Command Line   : localinstall openssl-1.0.1e-48.el6.1.x86_64.rpm openssl-devel-1.0.1e-48.el6.1.x86_64.rpm
    Transaction performed with:
        Installed     rpm-4.8.0-47.el6.x86_64                       @base
        Installed     yum-3.2.29-69.el6.centos.noarch               @base
        Installed     yum-plugin-fastestmirror-1.1.30-30.el6.noarch @base
    Packages Altered:
        Updated openssl-1.0.1e-42.el6_7.4.x86_64       @updates
        Update          1.0.1e-48.el6.1.x86_64         @/openssl-1.0.1e-48.el6.1.x86_64
        Updated openssl-devel-1.0.1e-42.el6_7.4.x86_64 @updates
        Update                1.0.1e-48.el6.1.x86_64   @/openssl-devel-1.0.1e-48.el6.1.x86_64
    history info
    

    Code (Text):
    ls -lah $(which openssl)
    -rwxr-xr-x 1 root root 514K May  8 03:20 /usr/bin/openssl
    

    change log for openssl
    Code (Text):
    rpm -qa --changelog openssl | head -n8
    * Mon May 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
    - fix CVE-2016-2105 - possible overflow in base64 encoding
    - fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
    - fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
    - fix CVE-2016-2108 - memory corruption in ASN.1 encoder
    - fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
    - fix CVE-2016-0799 - memory issues in BIO_printf
    

    change log for openssl-devel
    Code (Text):
    rpm -qa --changelog openssl-devel | head -n8
    * Mon May 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
    - fix CVE-2016-2105 - possible overflow in base64 encoding
    - fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
    - fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
    - fix CVE-2016-2108 - memory corruption in ASN.1 encoder
    - fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
    - fix CVE-2016-0799 - memory issues in BIO_printf
    

    then recompile PHP 5.6.21 via centmin.sh menu option 5
    Code (Text):
    php --ri openssl
    
    openssl
    
    OpenSSL support => enabled
    OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
    OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
    Openssl default config => /etc/pki/tls/openssl.cnf
    
    Directive => Local Value => Master Value
    openssl.cafile => no value => no value
    openssl.capath => no value => no value
     
    Last edited: May 15, 2016
  16. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    CentOS 6.8 CR yum repo packages coming which also contain CentOS 6.x fix for openssl vulnerability https://twitter.com/JohnnyCentOS/status/732239050828980224

    upload_2016-5-19_6-36-50.png

    for CentOS 6 CR yum repo isn't installed by default like CentOS 7. So if on CentOS 6 install CR yum repo first
    Code (Text):
    yum -y install centos-release-cr
    sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/CentOS-CR.repo
    echo "priority=1" >> /etc/yum.repos.d/CentOS-CR.repo
    

    Code (Text):
    yum list updates --enablerepo=remi,cr --disableplugin=priorities -q | grep openssl
    openssl.x86_64                            1.0.1e-48.el6_8.1                   cr
    openssl-devel.x86_64                      1.0.1e-48.el6_8.1                   cr

    To update for CentOS 6.x only (CentOS 7 already has the openssl update in non-CR main repo) for openssl
    Code (Text):
    yum -y update openssl openssl-devel --disableplugin=priorities --enablerepo=cr

    example openssl update output for CentOS 6.x with CR yum repo installed and enabled
    Code (Text):
    yum -y update openssl openssl-devel --disableplugin=priorities --enablerepo=cr
    Loaded plugins: fastestmirror
    Setting up Update Process
    Loading mirror speeds from cached hostfile
    * base: mirror.supremebytes.com
    * epel: mirror.sfo12.us.leaseweb.net
    * extras: yum.tamu.edu
    * rpmforge: mirror.hmc.edu
    * updates: mirror.supremebytes.com
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl.x86_64 0:1.0.1e-42.el6_7.4 will be updated
    ---> Package openssl.x86_64 0:1.0.1e-48.el6_8.1 will be an update
    ---> Package openssl-devel.x86_64 0:1.0.1e-42.el6_7.4 will be updated
    ---> Package openssl-devel.x86_64 0:1.0.1e-48.el6_8.1 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
    Package                                                         Arch                                                     Version                                                              Repository                                            Size
    ==========================================================================================================================================================================================================================================================
    Updating:
    openssl                                                         x86_64                                                   1.0.1e-48.el6_8.1                                                    cr                                                   1.5 M
    openssl-devel                                                   x86_64                                                   1.0.1e-48.el6_8.1                                                    cr                                                   1.2 M
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Upgrade       2 Package(s)
    
    Total download size: 2.7 M
    Downloading Packages:
    (1/2): openssl-1.0.1e-48.el6_8.1.x86_64.rpm                                                                                                                                                                                        | 1.5 MB     00:00  
    (2/2): openssl-devel-1.0.1e-48.el6_8.1.x86_64.rpm                                                                                                                                                                                  | 1.2 MB     00:00  
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                                                                                                                     4.9 MB/s | 2.7 MB     00:00  
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Updating   : openssl-1.0.1e-48.el6_8.1.x86_64                                                                                                                                                                                                       1/4
      Updating   : openssl-devel-1.0.1e-48.el6_8.1.x86_64                                                                                                                                                                                                 2/4
      Cleanup    : openssl-devel-1.0.1e-42.el6_7.4.x86_64                                                                                                                                                                                                 3/4
      Cleanup    : openssl-1.0.1e-42.el6_7.4.x86_64                                                                                                                                                                                                       4/4
      Verifying  : openssl-1.0.1e-48.el6_8.1.x86_64                                                                                                                                                                                                       1/4
      Verifying  : openssl-devel-1.0.1e-48.el6_8.1.x86_64                                                                                                                                                                                                 2/4
      Verifying  : openssl-devel-1.0.1e-42.el6_7.4.x86_64                                                                                                                                                                                                 3/4
      Verifying  : openssl-1.0.1e-42.el6_7.4.x86_64                                                                                                                                                                                                       4/4
    
    Updated:
      openssl.x86_64 0:1.0.1e-48.el6_8.1                                                                                       openssl-devel.x86_64 0:1.0.1e-48.el6_8.1                                                                                    
    
    Complete!
    

    verify openssl 1.0.1e-48.el6_8.1 is installed

    Code (Text):
    rpm -qa --changelog openssl | head -n8
    * Mon May 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
    - fix CVE-2016-2105 - possible overflow in base64 encoding
    - fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
    - fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
    - fix CVE-2016-2108 - memory corruption in ASN.1 encoder
    - fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
    - fix CVE-2016-0799 - memory issues in BIO_printf
    


    For non-Centmin Mod Nginx users, then check if your web server is still vulnerable at Test your server for yet another CBC padding oracle (CVE-2016-2107) Centmin Mod Nginx users would have already been fixed up if you updated Centmin Mod branch and recompiled Nginx as instructed in 1st post.

    upload_2016-5-19_7-18-42.png
     
    Last edited: May 19, 2016
  17. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    hmm reminder if you haven't updated to OpenSSL fixed system yum package + recompile nginx with updated openssl 1.0.2h as outlined in 1st post above do so !

    Big Surprise: Companies Are Slow to Patch Latest OpenSSL Flaw

     
  18. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    Another reminder to update Centmin Mod branch code and then to update to LibreSSL 2.3.4 or OpenSSL 1.0.2h for centmin.sh menu option 4 based nginx recompile as outlined above and to double check via tool at Test your server for yet another CBC padding oracle (CVE-2016-2107) that your HTTPS based web sites are secure and not vulerable to CVE-2016-2107.

    Checking various web sites I visit (mainly non-centmin mod nginx based), not everyone has patched the CVE-2016-2107 vulnerability still ! Several other web stack installers out there that do similar Centmin Mod Nginx installers are also running vulnerable versions so just double check folks !

    There's also a command line version of CVE-2016-2107 checker written in golang and requires golang v1.6+ at GitHub - FiloSottile/CVE-2016-2107: Simple test for the May 2016 OpenSSL padding oracle (CVE-2016-2107)
    Code (Text):
    which CVE-2016-2107
    /root/golang/packages/bin/CVE-2016-2107

    checking my own sites should be fixed and return Vulnerable: false. If returns true, then the site is still vulnerable to security flaws from CVE-2016-2107
    Code (Text):
    CVE-2016-2107 centminmod.com
    2016/06/02 15:59:20 Vulnerable: false
    

    Code (Text):
    CVE-2016-2107 community.centminmod.com
    2016/06/02 16:00:19 Vulnerable: false
    
     
    Last edited: Jun 3, 2016
  19. eva2000

    eva2000 Administrator Staff Member

    29,033
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,782
    Local Time:
    3:25 PM
    Nginx 1.13.x
    MariaDB 5.5
Thread Status:
Not open for further replies.