Join the community today
Register Now

Security OpenSSL OpenSSL Security Advisory [16 Apr 2018]

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Apr 18, 2018.

Tags:
  1. buik

    buik “It always seems impossible until it’s done.” Premium Member

    1,297
    350
    83
    Apr 29, 2016
    Ratings:
    +1,055
    Local Time:
    7:53 PM
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,772
    10,210
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,825
    Local Time:
    3:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    thanks for the heads up :)
     
  3. buik

    buik “It always seems impossible until it’s done.” Premium Member

    1,297
    350
    83
    Apr 29, 2016
    Ratings:
    +1,055
    Local Time:
    7:53 PM
    N.P. Y.W. Due to the low severity you could patch the code.
    What are you going to do?
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,772
    10,210
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,825
    Local Time:
    3:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    hmm indeed they aren't that involved for the committed fixes to be made via patching as Centmin Mod Nginx routine lends itself to easy patching support :) Though RSA key generation process is it used at all for Nginx OpenSSL ?? So only time that would apply is if you call the OpenSSL binary /opt/openssl/bin/openssl instead of system openssl /usr/bin/openssl
    Code (Text):
    /opt/openssl/bin/openssl version -a
    OpenSSL 1.1.0h  27 Mar 2018
    built on: reproducible build, date unspecified
    platform: linux-x86_64
    options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
    OPENSSLDIR: "/opt/openssl"
    ENGINESDIR: "/opt/openssl/lib/engines-1.1"
    

    Just added to Centmin Mod 123.09beta01, OpenSSL 1.0.2o & 1.1.0h detection and auto patching for this CVE-2018-0737 when recompiling Nginx via centmin.sh menu option 4

    Relevant line in patch log at /root/centminlogs/patch_opensslpatches_180418-021237.log after Nginx recompile via centmin.sh menu option 4 for Nginx 1.14.0 + OpenSSL 1.1.0h patched build
    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_180418-021237.log
    
    ######################################################################
    Patching OpenSSL 1.1.0h
    ######################################################################
    Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) patch
    https://community.centminmod.com/threads/14584/
    ######################################################################
    /svr-setup/openssl-1.1.0h /svr-setup/openssl-1.1.0h
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1h-cache-timing-rsa-key-gen.patch
    patching file crypto/rsa/rsa_gen.c
    

    patch log for Nginx 1.14.0 + OpenSSL 1.0.2o

    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_180418-022623.log
    
    ######################################################################
    Patching OpenSSL 1.0.2o
    ######################################################################
    Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) patch
    https://community.centminmod.com/threads/14584/
    ######################################################################
    /svr-setup/openssl-1.0.2o /svr-setup/openssl-1.0.2o
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.0.2o-cache-timing-rsa-key-gen.patch
    patching file crypto/rsa/rsa_gen.c