Join the community today
Register Now

OpenSSL Security Advisory

Discussion in 'System Administration' started by Matt, Jun 5, 2014.

  1. Matt

    Matt Moderator Staff Member

    691
    319
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +444
    Local Time:
    6:03 PM
    1.7.1
    MariaDB 10
    • Like Like x 2
  2. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    How did you properly replace default openssl of centos with axivo's openssl @Matt ?
     
  3. Matt

    Matt Moderator Staff Member

    691
    319
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +444
    Local Time:
    6:03 PM
    1.7.1
    MariaDB 10
    As per the PC on my site the other month:

    Code:
     # yum install postgresql-libs-8.4.20-1.el6_5.x86_64
      # yum --disablerepo=* --enablerepo=axivo update postfix*
      # yum --disablerepo=* --enablerepo=axivo update openssl*
    
    Then to check, do yum list *openssl*

    [​IMG]
     
    • Like Like x 2
  4. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    Ow you sent this, sorry if I missed it :(
     
  5. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    I just have 2 installed:
    Code:
    # yum list *openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: centosc6.centos.org
    * epel: mirror.symnds.com
    * extras: mirror.linux.duke.edu
    * rpmforge: repoforge.mirror.constant.com
    * updates: mirror.linux.duke.edu
    1545 packages excluded due to repository priority protections
    Installed Packages
    openssl-devel.x86_64                                              1:1.0.1g-2.el6                                     @axivo
    openssl-libs.x86_64                                               1:1.0.1g-2.el6                                     @axivo
    Available Packages
    globus-gsi-openssl-error.x86_64                                   2.1-10.el6                                         epel
    globus-gsi-openssl-error-devel.x86_64                             2.1-10.el6                                         epel
    globus-gsi-openssl-error-doc.noarch                               2.1-10.el6                                         epel
    globus-openssl-module.x86_64                                      3.3-2.el6                                          epel
    globus-openssl-module-devel.x86_64                                3.3-2.el6                                          epel
    globus-openssl-module-doc.noarch                                  3.3-2.el6                                          epel
    globus-openssl-module-progs.x86_64                                3.3-2.el6                                          epel
    krb5-pkinit-openssl.x86_64                                        1.10.3-15.el6_5.1                                  updates
    openssl.x86_64                                                    1.0.1e-16.el6_5.7                                  updates
    openssl-perl.x86_64                                               1.0.1e-16.el6_5.7                                  updates
    openssl-static.x86_64                                             1.0.1e-16.el6_5.7                                  updates
    openssl098e.x86_64                                                0.9.8e-17.el6.centos.2                             base
    perl-Crypt-OpenSSL-AES.x86_64                                     0.02-9.el6                                         epel
    perl-Crypt-OpenSSL-Bignum.x86_64                                  0.04-8.1.el6                                       base
    perl-Crypt-OpenSSL-DSA.x86_64                                     0.13-14.el6                                        epel
    perl-Crypt-OpenSSL-RSA.x86_64                                     0.25-10.1.el6                                      base
    perl-Crypt-OpenSSL-Random.x86_64                                  0.04-9.1.el6                                       base
    perl-Crypt-OpenSSL-X509.x86_64                                    1.800.2-1.el6                                      epel
    pyOpenSSL.x86_64                                                  0.10-2.el6                                         base
    xmlsec1-openssl.x86_64                                            1.2.16-2.el6                                       epel
    xmlsec1-openssl-devel.x86_64                                      1.2.16-2.el6                                       epel
    
     
  6. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    How to fix this?
    Code:
    # yum --disablerepo=* --enablerepo=axivo install openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    Setting up Install Process
    Package 1:openssl-devel-1.0.1g-2.el6.x86_64 already installed and latest version
    Package 1:openssl-libs-1.0.1g-2.el6.x86_64 already installed and latest version
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl.x86_64 1:1.0.1g-2.el6 will be installed
    ---> Package openssl-perl.x86_64 1:1.0.1g-2.el6 will be installed
    --> Processing Dependency: perl(WWW::Curl::Easy) for package: 1:openssl-perl-1.0.1g-2.el6.x86_64
    ---> Package openssl-static.x86_64 1:1.0.1g-2.el6 will be installed
    --> Finished Dependency Resolution
    Error: Package: 1:openssl-perl-1.0.1g-2.el6.x86_64 (axivo)
               Requires: perl(WWW::Curl::Easy)
    You could try using --skip-broken to work around the problem
    You could try running: rpm -Va --nofiles --nodigest
    
     
  7. Matt

    Matt Moderator Staff Member

    691
    319
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +444
    Local Time:
    6:03 PM
    1.7.1
    MariaDB 10
    try doing

    Code:
    yum --disablerepo=* --enablerepo=axivo install openssl
     
    • Like Like x 2
  8. Matt

    Matt Moderator Staff Member

    691
    319
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +444
    Local Time:
    6:03 PM
    1.7.1
    MariaDB 10
    You don't need to do openssl* for the install, as that will try and install EVERYTHING
     
  9. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    Sorry :(

    You save my ass again, THANK A LOT!
    Code:
    Installed Packages
    openssl.x86_64                                                    1:1.0.1g-2.el6                                     @axivo
    openssl-devel.x86_64                                              1:1.0.1g-2.el6                                     @axivo
    openssl-libs.x86_64                                               1:1.0.1g-2.el6                                     @axivo
    
     
    • Like Like x 1
  10. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    @Floren needs to update his repo :)
     
  11. Matt

    Matt Moderator Staff Member

    691
    319
    63
    May 25, 2014
    Sheffield, UK
    Ratings:
    +444
    Local Time:
    6:03 PM
    1.7.1
    MariaDB 10
    He's probably still asleep or just getting up.
     
    • Like Like x 1
  12. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
  13. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    I just changed /inc/downloadlinks.inc to:
    Code:
    OPENSSL_LINKFILE="openssl-${OPENSSL_VERSION}.tar.gz"
    OPENSSL_LINK="http://www.openssl.org/source/${OPENSSL_LINKFILE}"
    #OPENSSL_LINK="http://centminmod.com/centminmodparts/openssl/${OPENSSL_LINKFILE}"
     
    • Like Like x 1
  14. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    3:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    fixed that as the .07 betas use local mirror and my local mirros didn't have 1.0.1h but they do now :)

    probably should switch back to official openssl downloads for .07 stable or next .07 beta 22

    done for forums Nginx/OpenSSL 1.0.1h (note Nginx on Centmin Mod builds against a statically linked OpenSSL version defined in centmin.sh variable OPENSSL_VER)

    looks like Nginx made an official announcement too https://community.centminmod.com/threads/nginx-and-the-05-june-2014-openssl-security-advisory.297/
     
    Last edited: Jun 6, 2014
    • Like Like x 1
  15. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    3:03 AM
    Nginx 1.13.x
    MariaDB 5.5
  16. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    Updating : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
    Cleanup : openssl-1.0.1e-16.el6_5.7.x86_64 2/2
    Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
    Verifying : openssl-1.0.1e-16.el6_5.7.x86_64 2/2

    Updated:
    openssl.x86_64 0:1.0.1e-16.el6_5.14
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    3:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    Don't think that version has the fixes for latest bugs.. I already on that version and last patch was for Apr 07, 2014

    Code:
    yum list openssl openssl-devel -q
    Installed Packages
    openssl.x86_64                                                              1.0.1e-16.el6_5.7                                                        @updates
    openssl-devel.x86_64                                                        1.0.1e-16.el6_5.7                                                        @updates
    
    rpm -qa --changelog openssl | head -n6
    * Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
    
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    
    * Tue Jan 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.4
    - fix CVE-2013-4353 - Invalid TLS handshake crash
    Doesn't matter for Nginx on Centmin Mod anyway as it doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version ;)

    Code:
     ldd `which nginx` | grep ssl
    For system OpenSSL might need to wait for Redhat and CentOS to release a backported OpenSSL 1.0.1e-XX version
     
    Last edited: Jun 6, 2014
    • Like Like x 1
  18. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    3:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    confusing Redhat lists that version as the fixed ones https://rhn.redhat.com/errata/RHSA-2014-0625.html

    edit doh looking at wrong version increment LOL

    fixed version is 1.0.1e-16.el6_5.14

    Code:
     yum list update openssl -q                                   
    Installed Packages
    openssl.i686                                                           1.0.1e-16.el6_5.7                                                            installed
    Available Packages
    openssl.i686                                                           1.0.1e-16.el6_5.14                                                           updates  
     
    • Like Like x 1
  19. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    3:03 AM
    Nginx 1.13.x
    MariaDB 5.5
  20. RoldanLT

    RoldanLT Well-Known Member

    3,899
    949
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,298
    Local Time:
    1:03 AM
    1.11
    10.2
    Now that he already release an update, I got this error:
    Code:
    # yum --enablerepo=axivo update openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: centos.bhs.mirrors.ovh.net
    * epel: mirrors.mit.edu
    * extras: www.cubiculestudio.com
    * rpmforge: repoforge.mirror.constant.com
    * updates: less.cogeco.net
    1628 packages excluded due to repository priority protections
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl-libs.x86_64 1:1.0.1g-2.el6 will be updated
    --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-devel-1.0.1g-2.el6.x86_64
    --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-1.0.1g-2.el6.x86_64
    ---> Package openssl-libs.x86_64 1:1.0.1h-1.el6 will be an update
    --> Finished Dependency Resolution
    Error: Package: 1:openssl-devel-1.0.1g-2.el6.x86_64 (@axivo)
               Requires: openssl-libs = 1:1.0.1g-2.el6
               Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo)
                   openssl-libs = 1:1.0.1g-2.el6
               Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo)
                   openssl-libs = 1:1.0.1h-1.el6
    Error: Package: 1:openssl-1.0.1g-2.el6.x86_64 (@axivo)
               Requires: openssl-libs = 1:1.0.1g-2.el6
               Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo)
                   openssl-libs = 1:1.0.1g-2.el6
               Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo)
                   openssl-libs = 1:1.0.1h-1.el6
    You could try using --skip-broken to work around the problem
    You could try running: rpm -Va --nofiles --nodigest