Want more timely Centmin Mod News Updates?
Become a Member

Security OpenSSL OpenSSL Security Advisory [16 Apr 2018]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Apr 18, 2018.

Tags:
  1. buik

    buik “A winner never stops trying.” Premium Member

    1,309
    361
    83
    Apr 29, 2016
    Ratings:
    +1,075
    Local Time:
    4:44 PM
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,436
    10,312
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,992
    Local Time:
    1:44 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    thanks for the heads up :)
     
  3. buik

    buik “A winner never stops trying.” Premium Member

    1,309
    361
    83
    Apr 29, 2016
    Ratings:
    +1,075
    Local Time:
    4:44 PM
    N.P. Y.W. Due to the low severity you could patch the code.
    What are you going to do?
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,436
    10,312
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,992
    Local Time:
    1:44 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    hmm indeed they aren't that involved for the committed fixes to be made via patching as Centmin Mod Nginx routine lends itself to easy patching support :) Though RSA key generation process is it used at all for Nginx OpenSSL ?? So only time that would apply is if you call the OpenSSL binary /opt/openssl/bin/openssl instead of system openssl /usr/bin/openssl
    Code (Text):
    /opt/openssl/bin/openssl version -a
    OpenSSL 1.1.0h  27 Mar 2018
    built on: reproducible build, date unspecified
    platform: linux-x86_64
    options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
    OPENSSLDIR: "/opt/openssl"
    ENGINESDIR: "/opt/openssl/lib/engines-1.1"
    

    Just added to Centmin Mod 123.09beta01, OpenSSL 1.0.2o & 1.1.0h detection and auto patching for this CVE-2018-0737 when recompiling Nginx via centmin.sh menu option 4

    Relevant line in patch log at /root/centminlogs/patch_opensslpatches_180418-021237.log after Nginx recompile via centmin.sh menu option 4 for Nginx 1.14.0 + OpenSSL 1.1.0h patched build
    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_180418-021237.log
    
    ######################################################################
    Patching OpenSSL 1.1.0h
    ######################################################################
    Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) patch
    https://community.centminmod.com/threads/14584/
    ######################################################################
    /svr-setup/openssl-1.1.0h /svr-setup/openssl-1.1.0h
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1h-cache-timing-rsa-key-gen.patch
    patching file crypto/rsa/rsa_gen.c
    

    patch log for Nginx 1.14.0 + OpenSSL 1.0.2o

    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_180418-022623.log
    
    ######################################################################
    Patching OpenSSL 1.0.2o
    ######################################################################
    Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) patch
    https://community.centminmod.com/threads/14584/
    ######################################################################
    /svr-setup/openssl-1.0.2o /svr-setup/openssl-1.0.2o
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.0.2o-cache-timing-rsa-key-gen.patch
    patching file crypto/rsa/rsa_gen.c