Join the community today
Become a Member

Security OpenSSL OpenSSL Security Advisory [16 Apr 2018]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by bassie, Apr 18, 2018.

Tags:
  1. bassie

    bassie Active Member

    864
    201
    43
    Apr 29, 2016
    Ratings:
    +607
    Local Time:
    12:49 AM
     
    • Informative Informative x 2
  2. eva2000

    eva2000 Administrator Staff Member

    35,033
    7,731
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,922
    Local Time:
    8:49 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    thanks for the heads up :)
     
  3. bassie

    bassie Active Member

    864
    201
    43
    Apr 29, 2016
    Ratings:
    +607
    Local Time:
    12:49 AM
    N.P. Y.W. Due to the low severity you could patch the code.
    What are you going to do?
     
    • Agree Agree x 1
  4. eva2000

    eva2000 Administrator Staff Member

    35,033
    7,731
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,922
    Local Time:
    8:49 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    hmm indeed they aren't that involved for the committed fixes to be made via patching as Centmin Mod Nginx routine lends itself to easy patching support :) Though RSA key generation process is it used at all for Nginx OpenSSL ?? So only time that would apply is if you call the OpenSSL binary /opt/openssl/bin/openssl instead of system openssl /usr/bin/openssl
    Code (Text):
    /opt/openssl/bin/openssl version -a
    OpenSSL 1.1.0h  27 Mar 2018
    built on: reproducible build, date unspecified
    platform: linux-x86_64
    options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
    OPENSSLDIR: "/opt/openssl"
    ENGINESDIR: "/opt/openssl/lib/engines-1.1"
    

    Just added to Centmin Mod 123.09beta01, OpenSSL 1.0.2o & 1.1.0h detection and auto patching for this CVE-2018-0737 when recompiling Nginx via centmin.sh menu option 4

    Relevant line in patch log at /root/centminlogs/patch_opensslpatches_180418-021237.log after Nginx recompile via centmin.sh menu option 4 for Nginx 1.14.0 + OpenSSL 1.1.0h patched build
    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_180418-021237.log
    
    ######################################################################
    Patching OpenSSL 1.1.0h
    ######################################################################
    Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) patch
    https://community.centminmod.com/threads/14584/
    ######################################################################
    /svr-setup/openssl-1.1.0h /svr-setup/openssl-1.1.0h
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1h-cache-timing-rsa-key-gen.patch
    patching file crypto/rsa/rsa_gen.c
    

    patch log for Nginx 1.14.0 + OpenSSL 1.0.2o

    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_180418-022623.log
    
    ######################################################################
    Patching OpenSSL 1.0.2o
    ######################################################################
    Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) patch
    https://community.centminmod.com/threads/14584/
    ######################################################################
    /svr-setup/openssl-1.0.2o /svr-setup/openssl-1.0.2o
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.0.2o-cache-timing-rsa-key-gen.patch
    patching file crypto/rsa/rsa_gen.c
    

     
..