Fixed again with this guide Thanks a lot Matt! Code: # yum --disablerepo=* --enablerepo=axivo update openssl* Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 1:1.0.1g-2.el6 will be updated ---> Package openssl.x86_64 1:1.0.1h-1.el6 will be an update ---> Package openssl-devel.x86_64 1:1.0.1g-2.el6 will be updated ---> Package openssl-devel.x86_64 1:1.0.1h-1.el6 will be an update ---> Package openssl-libs.x86_64 1:1.0.1g-2.el6 will be updated ---> Package openssl-libs.x86_64 1:1.0.1h-1.el6 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================ Package Arch Version Repository Size ============================================================================================================ Updating: openssl x86_64 1:1.0.1h-1.el6 axivo 636 k openssl-devel x86_64 1:1.0.1h-1.el6 axivo 1.2 M openssl-libs x86_64 1:1.0.1h-1.el6 axivo 3.3 M Transaction Summary ============================================================================================================ Upgrade 3 Package(s) Total download size: 5.1 M Is this ok [y/N]: y Downloading Packages: (1/3): openssl-1.0.1h-1.el6.x86_64.rpm | 636 kB 00:00 (2/3): openssl-devel-1.0.1h-1.el6.x86_64.rpm | 1.2 MB 00:00 (3/3): openssl-libs-1.0.1h-1.el6.x86_64.rpm | 3.3 MB 00:00 ------------------------------------------------------------------------------------------------------------ Total 10 MB/s | 5.1 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : 1:openssl-libs-1.0.1h-1.el6.x86_64 1/6 Updating : 1:openssl-devel-1.0.1h-1.el6.x86_64 2/6 Updating : 1:openssl-1.0.1h-1.el6.x86_64 3/6 Cleanup : 1:openssl-devel-1.0.1g-2.el6.x86_64 4/6 Cleanup : 1:openssl-1.0.1g-2.el6.x86_64 5/6 Cleanup : 1:openssl-libs-1.0.1g-2.el6.x86_64 6/6 Verifying : 1:openssl-devel-1.0.1h-1.el6.x86_64 1/6 Verifying : 1:openssl-1.0.1h-1.el6.x86_64 2/6 Verifying : 1:openssl-libs-1.0.1h-1.el6.x86_64 3/6 Verifying : 1:openssl-devel-1.0.1g-2.el6.x86_64 4/6 Verifying : 1:openssl-1.0.1g-2.el6.x86_64 5/6 Verifying : 1:openssl-libs-1.0.1g-2.el6.x86_64 6/6 Updated: openssl.x86_64 1:1.0.1h-1.el6 openssl-devel.x86_64 1:1.0.1h-1.el6 openssl-libs.x86_64 1:1.0.1h-1.el6 Complete! [root@server32 ~]# htop [3]+ Stopped htop
Interesting read at http://www.thewhir.com/web-hosting-...ar-old-openssl-bug-enables-man-middle-attacks Let's hope client ends are updated too
Ah a dedicated thread is needed https://community.centminmod.com/threads/what-sftp-ftp-and-ssh-client-apps-do-you-use.390/
@RoldanLT, you might get this error because your terminal does not support properly wildcards? Code: Error: Package: 1:openssl-devel-1.0.1g-2.el6.x86_64 (@axivo) Requires: openssl-libs = 1:1.0.1g-2.el6 This error is pushed because yum did not see openssl-libs will also be upgraded. No idea why, I never saw this... and I've see a lot related to Linux. Me belief is because people enable many repositories by default, instead of keeping online only the official ones.
@Floren actually the cause is the opposite, it's following proper guidelines set out by CentOS for managing multiple external YUM repositories via YUM priorities that is causing the problem. Each external YUM repository in Centmin Mod is setup with proper YUM priority levels to ensure they do not conflict with the base packages. The error is due to the fact that AXIVO YUM repo has a priority=13 so isn't able to override the CentOS base packages in terms of priority which is the aim of using YUM priorities. Guess this just works against usage cases such as this where you do want to override CentOS base package priority example doing YUM list for openssl* with YUM priorities enabled by default will show AXIVO provided openssl and openssl-devel missing from listing Code: yum --enablerepo=axivo list openssl* -q Installed Packages openssl.x86_64 1.0.1e-16.el6_5.14 @updates openssl-devel.x86_64 1.0.1e-16.el6_5.14 @updates Available Packages openssl-libs.x86_64 1:1.0.1h-1.el6 axivo openssl-perl.x86_64 1.0.1e-16.el6_5.14 updates openssl-static.x86_64 1.0.1e-16.el6_5.14 updates openssl098e.x86_64 0.9.8e-18.el6_5.2 updates with YUM priorities plugin disabled will show correctly the AXIVO provided openssl and openssl-devel packages. So if you want to use a 3rd party YUM repository to override CentOS base packages, this is the command you'd need to use with AXIVO appending the --disableplugin=priorities to the end Code: yum --enablerepo=axivo list openssl* --disableplugin=priorities -q Installed Packages openssl.x86_64 1.0.1e-16.el6_5.14 @updates openssl-devel.x86_64 1.0.1e-16.el6_5.14 @updates Available Packages openssl.x86_64 1:1.0.1h-1.el6 axivo openssl-devel.x86_64 1:1.0.1h-1.el6 axivo openssl-libs.x86_64 1:1.0.1h-1.el6 axivo openssl-perl.x86_64 1:1.0.1h-1.el6 axivo openssl-static.x86_64 1:1.0.1h-1.el6 axivo openssl098e.x86_64 0.9.8e-18.el6_5.2 updates Actual update with appending the --disableplugin=priorities Code: yum --enablerepo=axivo update openssl* --disableplugin=priorities Loaded plugins: downloadonly, fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.kernel.org * epel: mirrors.kernel.org * extras: mirrors.kernel.org * rpmforge: repoforge.eecs.wsu.edu * updates: mirrors.kernel.org Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.14 will be obsoleted --> Processing Dependency: openssl for package: 2:postfix-2.6.6-6.el6_5.x86_64 ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.14 will be updated ---> Package openssl-devel.x86_64 1:1.0.1h-1.el6 will be an update ---> Package openssl-libs.x86_64 1:1.0.1h-1.el6 will be obsoleting --> Running transaction check ---> Package postfix.x86_64 2:2.6.6-6.el6_5 will be updated --> Processing Dependency: postfix = 2:2.6.6-6.el6_5 for package: 2:postfix-perl-scripts-2.6.6-6.el6_5.x86_64 ---> Package postfix.x86_64 2:2.11.1-1.el6 will be an update --> Processing Dependency: libpq.so.5()(64bit) for package: 2:postfix-2.11.1-1.el6.x86_64 --> Processing Dependency: libpcre.so.1()(64bit) for package: 2:postfix-2.11.1-1.el6.x86_64 --> Running transaction check ---> Package pcre.x86_64 0:7.8-6.el6 will be updated --> Processing Dependency: libpcre.so.0()(64bit) for package: pcre-devel-7.8-6.el6.x86_64 --> Processing Dependency: libpcre.so.0()(64bit) for package: grep-2.6.3-4.el6_5.1.x86_64 --> Processing Dependency: libpcre.so.0()(64bit) for package: less-436-10.el6.x86_64 --> Processing Dependency: libpcre.so.0()(64bit) for package: httpd-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: libpcre.so.0()(64bit) for package: httpd-tools-2.2.15-30.el6.centos.x86_64 --> Processing Dependency: pcre = 7.8-6.el6 for package: pcre-devel-7.8-6.el6.x86_64 ---> Package pcre.x86_64 0:8.35-1.el6 will be an update ---> Package postfix-perl-scripts.x86_64 2:2.6.6-6.el6_5 will be updated ---> Package postfix-perl-scripts.x86_64 2:2.11.1-1.el6 will be an update ---> Package postgresql-libs.x86_64 0:8.4.20-1.el6_5 will be installed --> Running transaction check ---> Package libpcre.x86_64 0:8.21-1.el6 will be installed ---> Package pcre-devel.x86_64 0:7.8-6.el6 will be updated ---> Package pcre-devel.x86_64 0:8.35-1.el6 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Installing: openssl-libs x86_64 1:1.0.1h-1.el6 axivo 3.3 M replacing openssl.x86_64 1.0.1e-16.el6_5.14 Updating: openssl-devel x86_64 1:1.0.1h-1.el6 axivo 1.2 M Installing for dependencies: libpcre x86_64 8.21-1.el6 axivo 443 k postgresql-libs x86_64 8.4.20-1.el6_5 updates 201 k Updating for dependencies: pcre x86_64 8.35-1.el6 axivo 1.4 M pcre-devel x86_64 8.35-1.el6 axivo 218 k postfix x86_64 2:2.11.1-1.el6 axivo 5.7 M postfix-perl-scripts x86_64 2:2.11.1-1.el6 axivo 46 k Transaction Summary ============================================================================================================================================================== Install 3 Package(s) Upgrade 5 Package(s) Total download size: 13 M Is this ok [y/N]: y Downloading Packages: (1/8): libpcre-8.21-1.el6.x86_64.rpm | 443 kB 00:00 (2/8): openssl-devel-1.0.1h-1.el6.x86_64.rpm | 1.2 MB 00:00 (3/8): openssl-libs-1.0.1h-1.el6.x86_64.rpm | 3.3 MB 00:00 (4/8): pcre-8.35-1.el6.x86_64.rpm | 1.4 MB 00:00 (5/8): pcre-devel-8.35-1.el6.x86_64.rpm | 218 kB 00:00 (6/8): postfix-2.11.1-1.el6.x86_64.rpm | 5.7 MB 00:01 (7/8): postfix-perl-scripts-2.11.1-1.el6.x86_64.rpm | 46 kB 00:00 (8/8): postgresql-libs-8.4.20-1.el6_5.x86_64.rpm | 201 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 2.4 MB/s | 13 MB 00:05 warning: rpmts_HdrFromFdno: Header V4 DSA/SHA1 Signature, key ID 64806737: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AXIVO Importing GPG key 0x64806737: Userid : Axivo Inc. (axivo) <info@axivo.com> Package: axivo-release-6-1.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-AXIVO Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 1:openssl-libs-1.0.1h-1.el6.x86_64 1/14 Updating : pcre-8.35-1.el6.x86_64 2/14 Installing : postgresql-libs-8.4.20-1.el6_5.x86_64 3/14 Updating : 2:postfix-2.11.1-1.el6.x86_64 4/14 warning: /etc/postfix/main.cf created as /etc/postfix/main.cf.rpmnew Updating : 2:postfix-perl-scripts-2.11.1-1.el6.x86_64 5/14 Updating : pcre-devel-8.35-1.el6.x86_64 6/14 Updating : 1:openssl-devel-1.0.1h-1.el6.x86_64 7/14 Installing : libpcre-8.21-1.el6.x86_64 8/14 Cleanup : 2:postfix-perl-scripts-2.6.6-6.el6_5.x86_64 9/14 Cleanup : pcre-devel-7.8-6.el6.x86_64 10/14 Cleanup : openssl-devel-1.0.1e-16.el6_5.14.x86_64 11/14 Cleanup : 2:postfix-2.6.6-6.el6_5.x86_64 12/14 Erasing : openssl-1.0.1e-16.el6_5.14.x86_64 13/14 Cleanup : pcre-7.8-6.el6.x86_64 14/14 Verifying : postgresql-libs-8.4.20-1.el6_5.x86_64 1/14 Verifying : 1:openssl-devel-1.0.1h-1.el6.x86_64 2/14 Verifying : libpcre-8.21-1.el6.x86_64 3/14 Verifying : pcre-8.35-1.el6.x86_64 4/14 Verifying : pcre-devel-8.35-1.el6.x86_64 5/14 Verifying : 2:postfix-perl-scripts-2.11.1-1.el6.x86_64 6/14 Verifying : 1:openssl-libs-1.0.1h-1.el6.x86_64 7/14 Verifying : 2:postfix-2.11.1-1.el6.x86_64 8/14 Verifying : 2:postfix-perl-scripts-2.6.6-6.el6_5.x86_64 9/14 Verifying : pcre-devel-7.8-6.el6.x86_64 10/14 Verifying : 2:postfix-2.6.6-6.el6_5.x86_64 11/14 Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 12/14 Verifying : pcre-7.8-6.el6.x86_64 13/14 Verifying : openssl-devel-1.0.1e-16.el6_5.14.x86_64 14/14 Installed: openssl-libs.x86_64 1:1.0.1h-1.el6 Dependency Installed: libpcre.x86_64 0:8.21-1.el6 postgresql-libs.x86_64 0:8.4.20-1.el6_5 Updated: openssl-devel.x86_64 1:1.0.1h-1.el6 Dependency Updated: pcre.x86_64 0:8.35-1.el6 pcre-devel.x86_64 0:8.35-1.el6 postfix.x86_64 2:2.11.1-1.el6 postfix-perl-scripts.x86_64 2:2.11.1-1.el6 Replaced: openssl.x86_64 0:1.0.1e-16.el6_5.14 Complete!
Thanks a lot @eva2000 for the explanation, I never installed yum-plugin-priorities package in any server based on CentOS recommendation. Check the Cautionary Note at the bottom of page. At least I know now where is coming from the error. Are you using it now in your Centminmod scripts? You should disable this functionality by default.
Yeah if other CentOS users follow the proper guidelines and set 3rd party YUM repositories priority levels, then Axivo repo would encounter similar problems. They'd need --disableplugin=priorities appended to the instructed Axivo YUM commands to get round that. Can't have 3rd party YUM repos in Centmin Mod overriding base packages that easily
I'm going to add this into my tutorials, I really thought everyone follows the proper standards... Which explains why I NEVER encountered this issue before, I was breaking my head on this issue.
Yes I still prefer to use YUM priorities due to the number of 3rd party YUM repos Centmin Mod installs from official Varnish Cache, Percona, rpmforge, EPEL and now Axivo. It provides an ensured way of protecting CentOS base packages from unintended conflict and is easy to work around if you do indeed intend to override a CentOS base package - just use --disableplugin=priorities appended to the end of YUM command. The alternative listed in the cautionary note would be fine if you knew exactly ALL 3rd party YUM packages for each and every 3rd party YUM repo off the top of your head before hand and added an exclude entry in their respective YUM config files to anticipate that. It would be alot harder and complex to do for many 3rd party YUM repos And what if in future I add even more 3rd party YUM repos, how do I automate adjusting all the exclude lines in ALL 3rd party YUM repos for all Centmin Mod users out there ? As I am not working on a single standalone system but an automated script with 1000s of existing Centmin Mod users
Update posted, this should avoid any further confusion. Personally I think priorities creates mess in organizing the repo structure. What if some guy decides to release a repo and sets the priority 1? I still believe the PROPER way is to disable the extra repositories by default.
Well you'd have the same problem if someone (less knowledgeable or even experienced folks) makes a typo in a YUM conf and excludes unintended YUM packages from the repository and/or leaves out an exclude entry for package and still end up with same mess. There's a higher probability that someone makes a typo in an exclude line and/or leaves out an exclude entry than a YUM repo maintainer with all his knowledge, adding priority=1 to his config file It's just a personal preference as to which mess I can live with while working on Centmin Mod automation and management of 3rd party YUM repos
@eva2000, check this post. Register on my forums, let's look into this issue together... do you have an Amazon virtual server handy to work on? They are forcing deps on yum-plugin-priorities???
Code: yum --enablerepo=axivo update openssl* --disableplugin=priorities Loaded plugins: downloadonly, fastestmirror Loading mirror speeds from cached hostfile * base: centos.marz.ca * epel: mirrors.einstein.yu.edu * extras: centos.bhs.mirrors.ovh.net * rpmforge: repoforge.mirror.constant.com * updates: centos.mirrors.atwab.net Setting up Update Process No Packages marked for Update Code: # yum list openssl* Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile * base: centos.marz.ca * epel: mirrors.einstein.yu.edu * extras: centos.bhs.mirrors.ovh.net * rpmforge: repoforge.mirror.constant.com * updates: centos.mirrors.atwab.net 1560 packages excluded due to repository priority protections Installed Packages openssl-devel.x86_64 1:1.0.1h-1.el6 @axivo openssl-libs.x86_64 1:1.0.1h-1.el6 @axivo Available Packages openssl.x86_64 1.0.1e-16.el6_5.14 updates openssl-perl.x86_64 1.0.1e-16.el6_5.14 updates openssl-static.x86_64 1.0.1e-16.el6_5.14 updates openssl098e.x86_64 0.9.8e-18.el6_5.2 updates Code: # yum list openssl Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile * base: centos.marz.ca * epel: mirrors.einstein.yu.edu * extras: centos.bhs.mirrors.ovh.net * rpmforge: repoforge.mirror.constant.com * updates: centos.mirrors.atwab.net 1560 packages excluded due to repository priority protections Available Packages openssl.x86_64 1.0.1e-16.el6_5.14 updates How can I update this openssl.x86_64 1.0.1e-16.el6_5.14 to axivo's repo?
Wait, Looks like my openssl was gone Code: # openssl version -bash: openssl: command not found I just follow this resource: https://www.axivo.com/resources/openssl-setup.2/
This is fine right? Install from Axivo. Code: # yum --enablerepo=axivo install openssl --disableplugin=priorities Loaded plugins: downloadonly, fastestmirror Loading mirror speeds from cached hostfile epel/metalink | 12 kB 00:00 * base: www.cubiculestudio.com * epel: mirror.symnds.com * extras: centos.bhs.mirrors.ovh.net * rpmforge: repoforge.mirror.constant.com * updates: centos.bhs.mirrors.ovh.net base | 3.7 kB 00:00 base/primary_db | 4.4 MB 00:00 epel | 4.4 kB 00:00 epel/primary_db | 6.2 MB 00:00 extras | 3.4 kB 00:00 extras/primary_db | 19 kB 00:00 mariadb | 1.9 kB 00:00 mariadb/primary_db | 18 kB 00:00 rpmforge | 1.9 kB 00:00 rpmforge/primary_db | 2.7 MB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 3.7 MB 00:00 Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 1:1.0.1h-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: openssl x86_64 1:1.0.1h-1.el6 axivo 645 k Transaction Summary ========================================================================================================= Install 1 Package(s) Total download size: 645 k Installed size: 1.3 M Is this ok [y/N]:
yeah or the latest yum command example at https://community.centminmod.com/threads/openssl-security-advisory.295/page-2#post-2386