http://www.openssl.org/news/secadv_20140605.txt
As per the PC on my site the other month: Code: # yum install postgresql-libs-8.4.20-1.el6_5.x86_64 # yum --disablerepo=* --enablerepo=axivo update postfix* # yum --disablerepo=* --enablerepo=axivo update openssl* Then to check, do yum list *openssl*
I just have 2 installed: Code: # yum list *openssl* Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile * base: centosc6.centos.org * epel: mirror.symnds.com * extras: mirror.linux.duke.edu * rpmforge: repoforge.mirror.constant.com * updates: mirror.linux.duke.edu 1545 packages excluded due to repository priority protections Installed Packages openssl-devel.x86_64 1:1.0.1g-2.el6 @axivo openssl-libs.x86_64 1:1.0.1g-2.el6 @axivo Available Packages globus-gsi-openssl-error.x86_64 2.1-10.el6 epel globus-gsi-openssl-error-devel.x86_64 2.1-10.el6 epel globus-gsi-openssl-error-doc.noarch 2.1-10.el6 epel globus-openssl-module.x86_64 3.3-2.el6 epel globus-openssl-module-devel.x86_64 3.3-2.el6 epel globus-openssl-module-doc.noarch 3.3-2.el6 epel globus-openssl-module-progs.x86_64 3.3-2.el6 epel krb5-pkinit-openssl.x86_64 1.10.3-15.el6_5.1 updates openssl.x86_64 1.0.1e-16.el6_5.7 updates openssl-perl.x86_64 1.0.1e-16.el6_5.7 updates openssl-static.x86_64 1.0.1e-16.el6_5.7 updates openssl098e.x86_64 0.9.8e-17.el6.centos.2 base perl-Crypt-OpenSSL-AES.x86_64 0.02-9.el6 epel perl-Crypt-OpenSSL-Bignum.x86_64 0.04-8.1.el6 base perl-Crypt-OpenSSL-DSA.x86_64 0.13-14.el6 epel perl-Crypt-OpenSSL-RSA.x86_64 0.25-10.1.el6 base perl-Crypt-OpenSSL-Random.x86_64 0.04-9.1.el6 base perl-Crypt-OpenSSL-X509.x86_64 1.800.2-1.el6 epel pyOpenSSL.x86_64 0.10-2.el6 base xmlsec1-openssl.x86_64 1.2.16-2.el6 epel xmlsec1-openssl-devel.x86_64 1.2.16-2.el6 epel
How to fix this? Code: # yum --disablerepo=* --enablerepo=axivo install openssl* Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile Setting up Install Process Package 1:openssl-devel-1.0.1g-2.el6.x86_64 already installed and latest version Package 1:openssl-libs-1.0.1g-2.el6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 1:1.0.1g-2.el6 will be installed ---> Package openssl-perl.x86_64 1:1.0.1g-2.el6 will be installed --> Processing Dependency: perl(WWW::Curl::Easy) for package: 1:openssl-perl-1.0.1g-2.el6.x86_64 ---> Package openssl-static.x86_64 1:1.0.1g-2.el6 will be installed --> Finished Dependency Resolution Error: Package: 1:openssl-perl-1.0.1g-2.el6.x86_64 (axivo) Requires: perl(WWW::Curl::Easy) You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest
Sorry You save my ass again, THANK A LOT! Code: Installed Packages openssl.x86_64 1:1.0.1g-2.el6 @axivo openssl-devel.x86_64 1:1.0.1g-2.el6 @axivo openssl-libs.x86_64 1:1.0.1g-2.el6 @axivo
I just changed /inc/downloadlinks.inc to: Code: OPENSSL_LINKFILE="openssl-${OPENSSL_VERSION}.tar.gz" OPENSSL_LINK="http://www.openssl.org/source/${OPENSSL_LINKFILE}" #OPENSSL_LINK="http://centminmod.com/centminmodparts/openssl/${OPENSSL_LINKFILE}"
fixed that as the .07 betas use local mirror and my local mirros didn't have 1.0.1h but they do now probably should switch back to official openssl downloads for .07 stable or next .07 beta 22 done for forums Nginx/OpenSSL 1.0.1h (note Nginx on Centmin Mod builds against a statically linked OpenSSL version defined in centmin.sh variable OPENSSL_VER) looks like Nginx made an official announcement too https://community.centminmod.com/threads/nginx-and-the-05-june-2014-openssl-security-advisory.297/
For Redhat and CentOS https://access.redhat.com/site/articles/904433 https://access.redhat.com/security/cve/CVE-2014-0224 But not finding mention of Redhat's updated OpenSSL package names - usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches.
Updating : openssl-1.0.1e-16.el6_5.14.x86_64 1/2 Cleanup : openssl-1.0.1e-16.el6_5.7.x86_64 2/2 Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 1/2 Verifying : openssl-1.0.1e-16.el6_5.7.x86_64 2/2 Updated: openssl.x86_64 0:1.0.1e-16.el6_5.14
Don't think that version has the fixes for latest bugs.. I already on that version and last patch was for Apr 07, 2014 Code: yum list openssl openssl-devel -q Installed Packages openssl.x86_64 1.0.1e-16.el6_5.7 @updates openssl-devel.x86_64 1.0.1e-16.el6_5.7 @updates rpm -qa --changelog openssl | head -n6 * Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension * Tue Jan 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.4 - fix CVE-2013-4353 - Invalid TLS handshake crash Doesn't matter for Nginx on Centmin Mod anyway as it doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version Code: ldd `which nginx` | grep ssl For system OpenSSL might need to wait for Redhat and CentOS to release a backported OpenSSL 1.0.1e-XX version
confusing Redhat lists that version as the fixed ones https://rhn.redhat.com/errata/RHSA-2014-0625.html edit doh looking at wrong version increment LOL fixed version is 1.0.1e-16.el6_5.14 Code: yum list update openssl -q Installed Packages openssl.i686 1.0.1e-16.el6_5.7 installed Available Packages openssl.i686 1.0.1e-16.el6_5.14 updates
Added full OpenSSL update guide at https://community.centminmod.com/threads/updating-openssl-1-0-1h-for-centmin-mod.299/
Now that he already release an update, I got this error: Code: # yum --enablerepo=axivo update openssl* Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile * base: centos.bhs.mirrors.ovh.net * epel: mirrors.mit.edu * extras: www.cubiculestudio.com * rpmforge: repoforge.mirror.constant.com * updates: less.cogeco.net 1628 packages excluded due to repository priority protections Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package openssl-libs.x86_64 1:1.0.1g-2.el6 will be updated --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-devel-1.0.1g-2.el6.x86_64 --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-1.0.1g-2.el6.x86_64 ---> Package openssl-libs.x86_64 1:1.0.1h-1.el6 will be an update --> Finished Dependency Resolution Error: Package: 1:openssl-devel-1.0.1g-2.el6.x86_64 (@axivo) Requires: openssl-libs = 1:1.0.1g-2.el6 Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo) openssl-libs = 1:1.0.1g-2.el6 Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo) openssl-libs = 1:1.0.1h-1.el6 Error: Package: 1:openssl-1.0.1g-2.el6.x86_64 (@axivo) Requires: openssl-libs = 1:1.0.1g-2.el6 Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo) openssl-libs = 1:1.0.1g-2.el6 Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo) openssl-libs = 1:1.0.1h-1.el6 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest