Welcome to Centmin Mod Community
Become a Member

OpenSSL Security Advisory

Discussion in 'System Administration' started by Matt, Jun 5, 2014.

  1. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    9:13 PM
    1.5.15
    MariaDB 10.2
  2. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    How did you properly replace default openssl of centos with axivo's openssl @Matt ?
     
  3. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    9:13 PM
    1.5.15
    MariaDB 10.2
    As per the PC on my site the other month:

    Code:
     # yum install postgresql-libs-8.4.20-1.el6_5.x86_64
      # yum --disablerepo=* --enablerepo=axivo update postfix*
      # yum --disablerepo=* --enablerepo=axivo update openssl*
    
    Then to check, do yum list *openssl*

    [​IMG]
     
  4. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    Ow you sent this, sorry if I missed it :(
     
  5. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    I just have 2 installed:
    Code:
    # yum list *openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: centosc6.centos.org
    * epel: mirror.symnds.com
    * extras: mirror.linux.duke.edu
    * rpmforge: repoforge.mirror.constant.com
    * updates: mirror.linux.duke.edu
    1545 packages excluded due to repository priority protections
    Installed Packages
    openssl-devel.x86_64                                              1:1.0.1g-2.el6                                     @axivo
    openssl-libs.x86_64                                               1:1.0.1g-2.el6                                     @axivo
    Available Packages
    globus-gsi-openssl-error.x86_64                                   2.1-10.el6                                         epel
    globus-gsi-openssl-error-devel.x86_64                             2.1-10.el6                                         epel
    globus-gsi-openssl-error-doc.noarch                               2.1-10.el6                                         epel
    globus-openssl-module.x86_64                                      3.3-2.el6                                          epel
    globus-openssl-module-devel.x86_64                                3.3-2.el6                                          epel
    globus-openssl-module-doc.noarch                                  3.3-2.el6                                          epel
    globus-openssl-module-progs.x86_64                                3.3-2.el6                                          epel
    krb5-pkinit-openssl.x86_64                                        1.10.3-15.el6_5.1                                  updates
    openssl.x86_64                                                    1.0.1e-16.el6_5.7                                  updates
    openssl-perl.x86_64                                               1.0.1e-16.el6_5.7                                  updates
    openssl-static.x86_64                                             1.0.1e-16.el6_5.7                                  updates
    openssl098e.x86_64                                                0.9.8e-17.el6.centos.2                             base
    perl-Crypt-OpenSSL-AES.x86_64                                     0.02-9.el6                                         epel
    perl-Crypt-OpenSSL-Bignum.x86_64                                  0.04-8.1.el6                                       base
    perl-Crypt-OpenSSL-DSA.x86_64                                     0.13-14.el6                                        epel
    perl-Crypt-OpenSSL-RSA.x86_64                                     0.25-10.1.el6                                      base
    perl-Crypt-OpenSSL-Random.x86_64                                  0.04-9.1.el6                                       base
    perl-Crypt-OpenSSL-X509.x86_64                                    1.800.2-1.el6                                      epel
    pyOpenSSL.x86_64                                                  0.10-2.el6                                         base
    xmlsec1-openssl.x86_64                                            1.2.16-2.el6                                       epel
    xmlsec1-openssl-devel.x86_64                                      1.2.16-2.el6                                       epel
    
     
  6. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    How to fix this?
    Code:
    # yum --disablerepo=* --enablerepo=axivo install openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    Setting up Install Process
    Package 1:openssl-devel-1.0.1g-2.el6.x86_64 already installed and latest version
    Package 1:openssl-libs-1.0.1g-2.el6.x86_64 already installed and latest version
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl.x86_64 1:1.0.1g-2.el6 will be installed
    ---> Package openssl-perl.x86_64 1:1.0.1g-2.el6 will be installed
    --> Processing Dependency: perl(WWW::Curl::Easy) for package: 1:openssl-perl-1.0.1g-2.el6.x86_64
    ---> Package openssl-static.x86_64 1:1.0.1g-2.el6 will be installed
    --> Finished Dependency Resolution
    Error: Package: 1:openssl-perl-1.0.1g-2.el6.x86_64 (axivo)
               Requires: perl(WWW::Curl::Easy)
    You could try using --skip-broken to work around the problem
    You could try running: rpm -Va --nofiles --nodigest
    
     
  7. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    9:13 PM
    1.5.15
    MariaDB 10.2
    try doing

    Code:
    yum --disablerepo=* --enablerepo=axivo install openssl
     
  8. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    9:13 PM
    1.5.15
    MariaDB 10.2
    You don't need to do openssl* for the install, as that will try and install EVERYTHING
     
  9. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    Sorry :(

    You save my ass again, THANK A LOT!
    Code:
    Installed Packages
    openssl.x86_64                                                    1:1.0.1g-2.el6                                     @axivo
    openssl-devel.x86_64                                              1:1.0.1g-2.el6                                     @axivo
    openssl-libs.x86_64                                               1:1.0.1g-2.el6                                     @axivo
    
     
  10. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    @Floren needs to update his repo :)
     
  11. Matt

    Matt Well-Known Member

    925
    414
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +669
    Local Time:
    9:13 PM
    1.5.15
    MariaDB 10.2
    He's probably still asleep or just getting up.
     
  12. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
  13. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    I just changed /inc/downloadlinks.inc to:
    Code:
    OPENSSL_LINKFILE="openssl-${OPENSSL_VERSION}.tar.gz"
    OPENSSL_LINK="http://www.openssl.org/source/${OPENSSL_LINKFILE}"
    #OPENSSL_LINK="http://centminmod.com/centminmodparts/openssl/${OPENSSL_LINKFILE}"
     
  14. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:13 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    fixed that as the .07 betas use local mirror and my local mirros didn't have 1.0.1h but they do now :)

    probably should switch back to official openssl downloads for .07 stable or next .07 beta 22

    done for forums Nginx/OpenSSL 1.0.1h (note Nginx on Centmin Mod builds against a statically linked OpenSSL version defined in centmin.sh variable OPENSSL_VER)

    looks like Nginx made an official announcement too https://community.centminmod.com/threads/nginx-and-the-05-june-2014-openssl-security-advisory.297/
     
    Last edited: Jun 6, 2014
  15. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:13 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    Updating : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
    Cleanup : openssl-1.0.1e-16.el6_5.7.x86_64 2/2
    Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
    Verifying : openssl-1.0.1e-16.el6_5.7.x86_64 2/2

    Updated:
    openssl.x86_64 0:1.0.1e-16.el6_5.14
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:13 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Don't think that version has the fixes for latest bugs.. I already on that version and last patch was for Apr 07, 2014

    Code:
    yum list openssl openssl-devel -q
    Installed Packages
    openssl.x86_64                                                              1.0.1e-16.el6_5.7                                                        @updates
    openssl-devel.x86_64                                                        1.0.1e-16.el6_5.7                                                        @updates
    
    rpm -qa --changelog openssl | head -n6
    * Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
    
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    
    * Tue Jan 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.4
    - fix CVE-2013-4353 - Invalid TLS handshake crash
    Doesn't matter for Nginx on Centmin Mod anyway as it doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version ;)

    Code:
     ldd `which nginx` | grep ssl
    For system OpenSSL might need to wait for Redhat and CentOS to release a backported OpenSSL 1.0.1e-XX version
     
    Last edited: Jun 6, 2014
  18. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:13 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    confusing Redhat lists that version as the fixed ones https://rhn.redhat.com/errata/RHSA-2014-0625.html

    edit doh looking at wrong version increment LOL

    fixed version is 1.0.1e-16.el6_5.14

    Code:
     yum list update openssl -q                                   
    Installed Packages
    openssl.i686                                                           1.0.1e-16.el6_5.7                                                            installed
    Available Packages
    openssl.i686                                                           1.0.1e-16.el6_5.14                                                           updates  
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,671
    Local Time:
    6:13 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  20. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    4:13 AM
    Mainline
    10.2
    Now that he already release an update, I got this error:
    Code:
    # yum --enablerepo=axivo update openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: centos.bhs.mirrors.ovh.net
    * epel: mirrors.mit.edu
    * extras: www.cubiculestudio.com
    * rpmforge: repoforge.mirror.constant.com
    * updates: less.cogeco.net
    1628 packages excluded due to repository priority protections
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl-libs.x86_64 1:1.0.1g-2.el6 will be updated
    --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-devel-1.0.1g-2.el6.x86_64
    --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-1.0.1g-2.el6.x86_64
    ---> Package openssl-libs.x86_64 1:1.0.1h-1.el6 will be an update
    --> Finished Dependency Resolution
    Error: Package: 1:openssl-devel-1.0.1g-2.el6.x86_64 (@axivo)
               Requires: openssl-libs = 1:1.0.1g-2.el6
               Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo)
                   openssl-libs = 1:1.0.1g-2.el6
               Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo)
                   openssl-libs = 1:1.0.1h-1.el6
    Error: Package: 1:openssl-1.0.1g-2.el6.x86_64 (@axivo)
               Requires: openssl-libs = 1:1.0.1g-2.el6
               Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo)
                   openssl-libs = 1:1.0.1g-2.el6
               Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo)
                   openssl-libs = 1:1.0.1h-1.el6
    You could try using --skip-broken to work around the problem
    You could try running: rpm -Va --nofiles --nodigest