Welcome to Centmin Mod Community
Register Now

OpenSSL Security Advisory

Discussion in 'System Administration' started by Matt, Jun 5, 2014.

  1. Matt

    Matt Moderator Staff Member

    795
    354
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +537
    Local Time:
    5:45 PM
    1.5.15
    MariaDB 10.2
    • Like Like x 2
  2. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    How did you properly replace default openssl of centos with axivo's openssl @Matt ?
     
  3. Matt

    Matt Moderator Staff Member

    795
    354
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +537
    Local Time:
    5:45 PM
    1.5.15
    MariaDB 10.2
    As per the PC on my site the other month:

    Code:
     # yum install postgresql-libs-8.4.20-1.el6_5.x86_64
      # yum --disablerepo=* --enablerepo=axivo update postfix*
      # yum --disablerepo=* --enablerepo=axivo update openssl*
    
    Then to check, do yum list *openssl*

    [​IMG]
     
    • Like Like x 2
  4. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    Ow you sent this, sorry if I missed it :(
     
  5. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    I just have 2 installed:
    Code:
    # yum list *openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: centosc6.centos.org
    * epel: mirror.symnds.com
    * extras: mirror.linux.duke.edu
    * rpmforge: repoforge.mirror.constant.com
    * updates: mirror.linux.duke.edu
    1545 packages excluded due to repository priority protections
    Installed Packages
    openssl-devel.x86_64                                              1:1.0.1g-2.el6                                     @axivo
    openssl-libs.x86_64                                               1:1.0.1g-2.el6                                     @axivo
    Available Packages
    globus-gsi-openssl-error.x86_64                                   2.1-10.el6                                         epel
    globus-gsi-openssl-error-devel.x86_64                             2.1-10.el6                                         epel
    globus-gsi-openssl-error-doc.noarch                               2.1-10.el6                                         epel
    globus-openssl-module.x86_64                                      3.3-2.el6                                          epel
    globus-openssl-module-devel.x86_64                                3.3-2.el6                                          epel
    globus-openssl-module-doc.noarch                                  3.3-2.el6                                          epel
    globus-openssl-module-progs.x86_64                                3.3-2.el6                                          epel
    krb5-pkinit-openssl.x86_64                                        1.10.3-15.el6_5.1                                  updates
    openssl.x86_64                                                    1.0.1e-16.el6_5.7                                  updates
    openssl-perl.x86_64                                               1.0.1e-16.el6_5.7                                  updates
    openssl-static.x86_64                                             1.0.1e-16.el6_5.7                                  updates
    openssl098e.x86_64                                                0.9.8e-17.el6.centos.2                             base
    perl-Crypt-OpenSSL-AES.x86_64                                     0.02-9.el6                                         epel
    perl-Crypt-OpenSSL-Bignum.x86_64                                  0.04-8.1.el6                                       base
    perl-Crypt-OpenSSL-DSA.x86_64                                     0.13-14.el6                                        epel
    perl-Crypt-OpenSSL-RSA.x86_64                                     0.25-10.1.el6                                      base
    perl-Crypt-OpenSSL-Random.x86_64                                  0.04-9.1.el6                                       base
    perl-Crypt-OpenSSL-X509.x86_64                                    1.800.2-1.el6                                      epel
    pyOpenSSL.x86_64                                                  0.10-2.el6                                         base
    xmlsec1-openssl.x86_64                                            1.2.16-2.el6                                       epel
    xmlsec1-openssl-devel.x86_64                                      1.2.16-2.el6                                       epel
    
     
  6. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    How to fix this?
    Code:
    # yum --disablerepo=* --enablerepo=axivo install openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    Setting up Install Process
    Package 1:openssl-devel-1.0.1g-2.el6.x86_64 already installed and latest version
    Package 1:openssl-libs-1.0.1g-2.el6.x86_64 already installed and latest version
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl.x86_64 1:1.0.1g-2.el6 will be installed
    ---> Package openssl-perl.x86_64 1:1.0.1g-2.el6 will be installed
    --> Processing Dependency: perl(WWW::Curl::Easy) for package: 1:openssl-perl-1.0.1g-2.el6.x86_64
    ---> Package openssl-static.x86_64 1:1.0.1g-2.el6 will be installed
    --> Finished Dependency Resolution
    Error: Package: 1:openssl-perl-1.0.1g-2.el6.x86_64 (axivo)
               Requires: perl(WWW::Curl::Easy)
    You could try using --skip-broken to work around the problem
    You could try running: rpm -Va --nofiles --nodigest
    
     
  7. Matt

    Matt Moderator Staff Member

    795
    354
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +537
    Local Time:
    5:45 PM
    1.5.15
    MariaDB 10.2
    try doing

    Code:
    yum --disablerepo=* --enablerepo=axivo install openssl
     
    • Like Like x 2
  8. Matt

    Matt Moderator Staff Member

    795
    354
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +537
    Local Time:
    5:45 PM
    1.5.15
    MariaDB 10.2
    You don't need to do openssl* for the install, as that will try and install EVERYTHING
     
  9. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    Sorry :(

    You save my ass again, THANK A LOT!
    Code:
    Installed Packages
    openssl.x86_64                                                    1:1.0.1g-2.el6                                     @axivo
    openssl-devel.x86_64                                              1:1.0.1g-2.el6                                     @axivo
    openssl-libs.x86_64                                               1:1.0.1g-2.el6                                     @axivo
    
     
    • Like Like x 1
  10. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    @Floren needs to update his repo :)
     
  11. Matt

    Matt Moderator Staff Member

    795
    354
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +537
    Local Time:
    5:45 PM
    1.5.15
    MariaDB 10.2
    He's probably still asleep or just getting up.
     
    • Like Like x 1
  12. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
  13. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    I just changed /inc/downloadlinks.inc to:
    Code:
    OPENSSL_LINKFILE="openssl-${OPENSSL_VERSION}.tar.gz"
    OPENSSL_LINK="http://www.openssl.org/source/${OPENSSL_LINKFILE}"
    #OPENSSL_LINK="http://centminmod.com/centminmodparts/openssl/${OPENSSL_LINKFILE}"
     
    • Like Like x 1
  14. eva2000

    eva2000 Administrator Staff Member

    37,273
    8,145
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,538
    Local Time:
    3:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    fixed that as the .07 betas use local mirror and my local mirros didn't have 1.0.1h but they do now :)

    probably should switch back to official openssl downloads for .07 stable or next .07 beta 22

    done for forums Nginx/OpenSSL 1.0.1h (note Nginx on Centmin Mod builds against a statically linked OpenSSL version defined in centmin.sh variable OPENSSL_VER)

    looks like Nginx made an official announcement too https://community.centminmod.com/threads/nginx-and-the-05-june-2014-openssl-security-advisory.297/
     
    Last edited: Jun 6, 2014
    • Like Like x 1
  15. eva2000

    eva2000 Administrator Staff Member

    37,273
    8,145
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,538
    Local Time:
    3:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  16. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    Updating : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
    Cleanup : openssl-1.0.1e-16.el6_5.7.x86_64 2/2
    Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
    Verifying : openssl-1.0.1e-16.el6_5.7.x86_64 2/2

    Updated:
    openssl.x86_64 0:1.0.1e-16.el6_5.14
     
  17. eva2000

    eva2000 Administrator Staff Member

    37,273
    8,145
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,538
    Local Time:
    3:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Don't think that version has the fixes for latest bugs.. I already on that version and last patch was for Apr 07, 2014

    Code:
    yum list openssl openssl-devel -q
    Installed Packages
    openssl.x86_64                                                              1.0.1e-16.el6_5.7                                                        @updates
    openssl-devel.x86_64                                                        1.0.1e-16.el6_5.7                                                        @updates
    
    rpm -qa --changelog openssl | head -n6
    * Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
    
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    
    * Tue Jan 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.4
    - fix CVE-2013-4353 - Invalid TLS handshake crash
    Doesn't matter for Nginx on Centmin Mod anyway as it doesn't use system OpenSSL and is compiled statically - check command below will return blank/nothing for Centmin Mod Nginx. There's a reason why Centmin Mod Nginx is compiled against a statically linked OpenSSL version ;)

    Code:
     ldd `which nginx` | grep ssl
    For system OpenSSL might need to wait for Redhat and CentOS to release a backported OpenSSL 1.0.1e-XX version
     
    Last edited: Jun 6, 2014
    • Like Like x 1
  18. eva2000

    eva2000 Administrator Staff Member

    37,273
    8,145
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,538
    Local Time:
    3:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    confusing Redhat lists that version as the fixed ones https://rhn.redhat.com/errata/RHSA-2014-0625.html

    edit doh looking at wrong version increment LOL

    fixed version is 1.0.1e-16.el6_5.14

    Code:
     yum list update openssl -q                                   
    Installed Packages
    openssl.i686                                                           1.0.1e-16.el6_5.7                                                            installed
    Available Packages
    openssl.i686                                                           1.0.1e-16.el6_5.14                                                           updates  
     
    • Like Like x 1
  19. eva2000

    eva2000 Administrator Staff Member

    37,273
    8,145
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,538
    Local Time:
    3:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  20. rdan

    rdan Premium Member Premium Member

    4,420
    1,059
    113
    May 25, 2014
    Ratings:
    +1,543
    Local Time:
    1:45 AM
    Mainline
    10.2
    Now that he already release an update, I got this error:
    Code:
    # yum --enablerepo=axivo update openssl*
    Loaded plugins: downloadonly, fastestmirror, priorities
    Loading mirror speeds from cached hostfile
    * base: centos.bhs.mirrors.ovh.net
    * epel: mirrors.mit.edu
    * extras: www.cubiculestudio.com
    * rpmforge: repoforge.mirror.constant.com
    * updates: less.cogeco.net
    1628 packages excluded due to repository priority protections
    Setting up Update Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl-libs.x86_64 1:1.0.1g-2.el6 will be updated
    --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-devel-1.0.1g-2.el6.x86_64
    --> Processing Dependency: openssl-libs = 1:1.0.1g-2.el6 for package: 1:openssl-1.0.1g-2.el6.x86_64
    ---> Package openssl-libs.x86_64 1:1.0.1h-1.el6 will be an update
    --> Finished Dependency Resolution
    Error: Package: 1:openssl-devel-1.0.1g-2.el6.x86_64 (@axivo)
               Requires: openssl-libs = 1:1.0.1g-2.el6
               Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo)
                   openssl-libs = 1:1.0.1g-2.el6
               Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo)
                   openssl-libs = 1:1.0.1h-1.el6
    Error: Package: 1:openssl-1.0.1g-2.el6.x86_64 (@axivo)
               Requires: openssl-libs = 1:1.0.1g-2.el6
               Removing: 1:openssl-libs-1.0.1g-2.el6.x86_64 (@axivo)
                   openssl-libs = 1:1.0.1g-2.el6
               Updated By: 1:openssl-libs-1.0.1h-1.el6.x86_64 (axivo)
                   openssl-libs = 1:1.0.1h-1.el6
    You could try using --skip-broken to work around the problem
    You could try running: rpm -Va --nofiles --nodigest
    
     
..