CentOS 7.x Rolling back Axivo installed OpenSSL 1.0.2a

Sunka · Mar 3, 2016

@eva2000 my nginx - V show that is compiled with open SSL 1.0.2f

Code:

[root@tvor-ocean ~]# nginx -V
nginx version: nginx/1.9.12
built by clang 3.4.2 (tags/RELEASE_34/dot2-final)
built with OpenSSL 1.0.2f  28 Jan 2016

When try to yum update. there is no update for open ssl 1.0.2g
Also, when run command openssl version it shows:

Code:

[root@tvor-ocean ~]# openssl version
OpenSSL 1.0.2a-fips 19 Mar 2015

And this:

Code:

[root@tvor-ocean ~]# rpm -qa | grep openssl
openssl-libs-1.0.2a-2.el7.x86_64
openssl-1.0.2a-2.el7.x86_64
openssl-devel-1.0.2a-2.el7.x86_64

Code:

[root@tvor-ocean ~]# yum info openssl
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
* base: mirror2.hs-esslingen.de
* epel: mirror.23media.de
* extras: mirror2.hs-esslingen.de
* remi-safe: remi.schlundtech.de
* rpmforge: mirror.de.leaseweb.net
* updates: mirror.imt-systems.com
235 packages excluded due to repository priority protections
Installed Packages
Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.2a
Release     : 2.el7
Size        : 1.3 M
Repo        : installed
From repo   : axivo
Summary     : General purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
            : between machines. OpenSSL includes a certificate management tool
            : and shared libraries which provide various cryptographic
            : algorithms and protocols.

So, how to update ssl first so that I can update/recompile nginx with open ssl 1.0.2g?

eva2000 · Mar 3, 2016

Sunka said: ↑

my nginx - V show that is compiled with open SSL 1.0.2f
Click to expand...

could be same issue @ModeltogTossen ran into at Centmin Mod 123.09beta - Nginx + openssl 1.0.2g update issues | Centmin Mod Community

Sunka said: ↑

Also, when run command openssl version it shows:
Click to expand...

woah how did you get openssl 1.02a ? oh i see you had axivo repo installed that is nasty as it's outdated and with security flaws now.. @Matt had alot of issues removing it from CentOS systems after it was installed

I'll have to update Centmin Mod to disable Axivo repo from already installed systems. For now, I'd have investigate how to properly remove Axivo Openssl 1.0.2a so it doesn't break your system. Axivo is a repo created by Floren which is no longer updated Axivo - Axivo Yum Repo Updates | Centmin Mod Community

Sunka · Mar 3, 2016

eva2000 said: ↑

I'll have to update Centmin Mod to disable Axivo repo from already installed systems. For now, I'd have investigate how to properly remove Axivo Openssl 1.0.2a so it doesn't break your system.
Click to expand...

Thanks.
Waiting for solution...

Sunka · Mar 3, 2016

@eva2000 maybe this tutorial could help?
https://www.axivo.com/resources/repository-setup.1/update?update=20
If you encounter any conflicts with a specific AXIVO package, please report them so we can address the issues right away. You can easily revert any system update with yum history or yum shell. For example, run the following commands to uninstall AXIVO OpenSSL and install the system release:
Code:
# yum -q list openssl*
Installed Packages
openssl.x86_64                 1:1.0.1i-2.el6               @axivo
openssl-devel.x86_64           1:1.0.1i-2.el6               @axivo
openssl-libs.x86_64            1:1.0.1i-2.el6               @axivo
# yum shell
> remove openssl openssl-devel openssl-libs
> install openssl openssl-devel
> transaction solve
> transaction run
> quit
Click to expand...

eva2000 · Mar 3, 2016

it won't work for the reverse of removing axivo openssl as i will complain of required dependencies

can you post the output for these commands

Code (Text):

yum history

then on far left column you see transaction ids for yum, post the output of the very last 2 id numbers replacing them from command below where XX is the id

Code (Text):

yum history info XX

If you're lucky enough to have done yum update on just Axivo's openssl, you can use yum history to undo and rollback easily. If it's more than just openssl packages that got updated, it will rollback all packages. Not that big a deal as after Axivo openssl and yum repo removed, you can just do another yum update to bring system back up to date.

for example if axivo installed and it's in yum transaction id 8

Code (Text):

yum history
Loaded plugins: fastestmirror
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
     8 | root <root>              | 2016-03-03 11:57 | Update         |    2
     7 | root <root>              | 2016-03-03 11:50 | Install        |    1
     6 | root <root>              | 2016-03-03 11:49 | Erase          |    1
     5 | root <root>              | 2016-03-03 11:48 | Install        |    1
     4 | root <root>              | 2016-03-03 11:43 | I, U           |   40
     3 | root <root>              | 2016-01-15 18:46 | I, U           |   17
     2 | root <root>              | 2015-12-22 02:59 | I, O, U        |  262 EE
     1 | System <unset>           | 2014-07-08 13:28 | Install        |  401
history list

info shows yes this is yum transaction that updated to axivo openssl 1.0.2a packages

Code (Text):

yum history info 8
Loaded plugins: fastestmirror
Transaction ID : 8
Begin time     : Thu Mar  3 11:57:33 2016
Begin rpmdb    : 420:158003b4b8673f8d54db00cc59b661119f6bbb60
End time       :            11:57:34 2016 (1 seconds)
End rpmdb      : 420:37dcf64f2569b7a1603058847bbd1fe64ca87f71
User           : root <root>
Return-Code    : Success
Command Line   : --enablerepo=axivo update openssl*
Transaction performed with:
    Installed     rpm-4.11.3-17.el7.x86_64                      @base
    Installed     yum-3.4.3-132.el7.centos.0.1.noarch           @base
    Installed     yum-plugin-fastestmirror-1.1.31-34.el7.noarch @base
Packages Altered:
    Updated openssl-1:1.0.1e-51.el7_2.4.x86_64      @updates
    Update          1:1.0.2a-2.el7.x86_64           @axivo
    Updated openssl-libs-1:1.0.1e-51.el7_2.4.x86_64 @updates
    Update               1:1.0.2a-2.el7.x86_64      @axivo
history info

I can then undo and rollback that transaction

Code (Text):

yum history undo 8

Code (Text):

yum history undo 8
Loaded plugins: fastestmirror
Undoing transaction 8, from Thu Mar  3 11:57:33 2016
    Updated openssl-1:1.0.1e-51.el7_2.4.x86_64      @updates
    Update          1:1.0.2a-2.el7.x86_64           @axivo
    Updated openssl-libs-1:1.0.1e-51.el7_2.4.x86_64 @updates
    Update               1:1.0.2a-2.el7.x86_64      @axivo

Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-51.el7_2.4 will be a downgrade
---> Package openssl.x86_64 1:1.0.2a-2.el7 will be erased
---> Package openssl-libs.x86_64 1:1.0.1e-51.el7_2.4 will be a downgrade
---> Package openssl-libs.x86_64 1:1.0.2a-2.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================================================================
Package                                                      Arch                                                   Version                                                                Repository                                               Size
==========================================================================================================================================================================================================================================================
Downgrading:
openssl                                                      x86_64                                                 1:1.0.1e-51.el7_2.4                                                    updates                                                 711 k
openssl-libs                                                 x86_64                                                 1:1.0.1e-51.el7_2.4                                                    updates                                                 951 k

Transaction Summary
==========================================================================================================================================================================================================================================================
Downgrade  2 Packages

Total download size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): openssl-1.0.1e-51.el7_2.4.x86_64.rpm                                                                                                                                                                                        | 711 kB  00:00:00  
(2/2): openssl-libs-1.0.1e-51.el7_2.4.x86_64.rpm                                                                                                                                                                                   | 951 kB  00:00:00  
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                     2.2 MB/s | 1.6 MB  00:00:00  
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 1:eek:penssl-libs-1.0.1e-51.el7_2.4.x86_64                                                                                                                                                                                                1/4
  Installing : 1:eek:penssl-1.0.1e-51.el7_2.4.x86_64                                                                                                                                                                                                     2/4
  Cleanup    : 1:eek:penssl-1.0.2a-2.el7.x86_64                                                                                                                                                                                                          3/4
  Cleanup    : 1:eek:penssl-libs-1.0.2a-2.el7.x86_64                                                                                                                                                                                                     4/4
  Verifying  : 1:eek:penssl-libs-1.0.1e-51.el7_2.4.x86_64                                                                                                                                                                                                1/4
  Verifying  : 1:eek:penssl-1.0.1e-51.el7_2.4.x86_64                                                                                                                                                                                                     2/4
  Verifying  : 1:eek:penssl-libs-1.0.2a-2.el7.x86_64                                                                                                                                                                                                     3/4
  Verifying  : 1:eek:penssl-1.0.2a-2.el7.x86_64                                                                                                                                                                                                          4/4

Removed:
  openssl.x86_64 1:1.0.2a-2.el7             openssl-libs.x86_64 1:1.0.2a-2.el7                                                                                         

Installed:
  openssl.x86_64 1:1.0.1e-51.el7_2.4        openssl-libs.x86_64 1:1.0.1e-51.el7_2.4                                                                                    

Complete!

Check openssl version

Code (Text):

openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Then remove axivo YUM repo

Code (Text):

yum -y remove axivo-release

Sunka · Mar 3, 2016

Code:

[root@tvor-ocean ~]# yum history
Loaded plugins: fastestmirror, priorities
ID     | Command line             | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    83 | -y update --disableplugi | 2016-03-03 01:06 | Update         |    7 
    82 | update                   | 2016-02-29 02:17 | I, U           |    4 
    81 | update                   | 2016-02-25 23:59 | Update         |    6 
    80 | -y update --disableplugi | 2016-02-22 22:00 | Update         |    5 
    79 | update                   | 2016-02-17 17:14 | E, I, U        |   41 EE
    78 | update --disableplugin=p | 2016-02-16 10:19 | I, U           |   14 EE
    77 | -y -q install figlet     | 2016-02-12 14:55 | Install        |    1 
    76 | update redis --enablerep | 2016-02-10 22:09 | Update         |    1 
    75 | -y update ImageMagick-la | 2016-02-09 17:11 | Update         |    5 
    74 | update                   | 2016-02-09 17:06 | Update         |    2 
    73 | -q -y install fio        | 2016-02-06 00:42 | Install        |    5 
    72 | update                   | 2016-02-05 22:44 | Update         |    1 EE
    71 | update -y                | 2016-01-29 22:41 | Update         |    6  <
    70 | -y install libmetalink l | 2016-01-28 10:28 | Install        |    6 >
    69 | update                   | 2016-01-28 10:15 | Update         |    4 
    68 | update                   | 2016-01-26 19:56 | E, I, U        |    9 EE
    67 | -q -y remove axel        | 2016-01-25 15:36 | Erase          |    1 
    66 | update redis --enablerep | 2016-01-25 15:31 | Update         |    1 
    65 | -y update ImageMagick-la | 2016-01-25 15:19 | Update         |    5 
    64 | update                   | 2016-01-25 10:16 | Update         |    1 
history list

How to list all history?

eva2000 · Mar 3, 2016

Sunka said: ↑

How to list all history?
Click to expand...

you don't need to latest yum transactions are at top as it's listed in descending date order

but if you want to list all
Code (Text):
yum history list all
so id 83 seems to be one i want output for as axivo installed by Centmin Mod has yumpriorities setup so only way axivo would be able to install it's openssl version is if you ran yum update with --disableplugin=priorities
Code (Text):
yum history info 83

Sunka · Mar 3, 2016

I think not, it is for imagemagic remi (updated few hours ago)
Axivo openssl was I think before 2-3 months, so need to grep somehow axivo openssl

Code:

[root@tvor-ocean ~]# yum history info 83
Loaded plugins: fastestmirror, priorities
Transaction ID : 83
Begin time     : Thu Mar  3 01:06:18 2016
Begin rpmdb    : 764:82a50334e787904fa315763d28b3ce6ec2f92181
End time       :            01:06:23 2016 (5 seconds)
End rpmdb      : 764:6140c845a7369e92ef2b0e4b1e900dcba63d804f
User           : root <root>
Return-Code    : Success
Command Line   : -y update --disableplugin=priorities --enablerepo=remi
Transaction performed with:
    Installed     rpm-4.11.3-17.el7.x86_64                      @base
    Installed     yum-3.4.3-132.el7.centos.0.1.noarch           @base
    Installed     yum-plugin-fastestmirror-1.1.31-34.el7.noarch @base
Packages Altered:
    Updated ImageMagick-last-6.9.3.5-1.el7.remi.x86_64           @remi
    Update                   6.9.3.6-1.el7.remi.x86_64           @remi
    Updated ImageMagick-last-c++-6.9.3.5-1.el7.remi.x86_64       @remi
    Update                       6.9.3.6-1.el7.remi.x86_64       @remi
    Updated ImageMagick-last-c++-devel-6.9.3.5-1.el7.remi.x86_64 @remi
    Update                             6.9.3.6-1.el7.remi.x86_64 @remi
    Updated ImageMagick-last-devel-6.9.3.5-1.el7.remi.x86_64     @remi
    Update                         6.9.3.6-1.el7.remi.x86_64     @remi
    Updated ImageMagick-last-libs-6.9.3.5-1.el7.remi.x86_64      @remi
    Update                        6.9.3.6-1.el7.remi.x86_64      @remi
    Updated galera-25.3.12-1.rhel7.el7.centos.x86_64             @mariadb
    Update         25.3.14-1.rhel7.el7.centos.x86_64             @mariadb
    Updated postgresql-libs-9.2.14-1.el7_1.x86_64                @updates
    Update                  9.2.15-1.el7_2.x86_64                @updates
history info

eva2000 · Mar 3, 2016

From yum history list look at ids 78 and 80 too they also have --disableplugin=priorities in listed command line column

Sunka · Mar 3, 2016

Found how to list all history, but without repos :unsure:

Code:

[root@tvor-ocean ~]# yum history list all
Loaded plugins: fastestmirror, priorities
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    83 | root <root>              | 2016-03-03 01:06 | Update         |    7 
    82 | root <root>              | 2016-02-29 02:17 | I, U           |    4 
    81 | root <root>              | 2016-02-25 23:59 | Update         |    6 
    80 | root <root>              | 2016-02-22 22:00 | Update         |    5 
    79 | root <root>              | 2016-02-17 17:14 | E, I, U        |   41 EE
    78 | root <root>              | 2016-02-16 10:19 | I, U           |   14 EE
    77 | root <root>              | 2016-02-12 14:55 | Install        |    1 
    76 | root <root>              | 2016-02-10 22:09 | Update         |    1 
    75 | root <root>              | 2016-02-09 17:11 | Update         |    5 
    74 | root <root>              | 2016-02-09 17:06 | Update         |    2 
    73 | root <root>              | 2016-02-06 00:42 | Install        |    5 
    72 | root <root>              | 2016-02-05 22:44 | Update         |    1 EE
    71 | root <root>              | 2016-01-29 22:41 | Update         |    6  <
    70 | root <root>              | 2016-01-28 10:28 | Install        |    6 >
    69 | root <root>              | 2016-01-28 10:15 | Update         |    4 
    68 | root <root>              | 2016-01-26 19:56 | E, I, U        |    9 EE
    67 | root <root>              | 2016-01-25 15:36 | Erase          |    1 
    66 | root <root>              | 2016-01-25 15:31 | Update         |    1 
    65 | root <root>              | 2016-01-25 15:19 | Update         |    5 
    64 | root <root>              | 2016-01-25 10:16 | Update         |    1 
    63 | root <root>              | 2016-01-22 10:20 | Update         |    2 EE
    62 | root <root>              | 2016-01-16 09:18 | Update         |    2 
    61 | root <root>              | 2016-01-15 10:04 | Update         |    3 
    60 | root <root>              | 2016-01-11 18:52 | Update         |    1 EE
    59 | root <root>              | 2016-01-08 15:26 | Update         |    4 
    58 | root <root>              | 2016-01-07 09:48 | Install        |    3 
    57 | root <root>              | 2016-01-07 09:42 | E, I, U        |    9 EE
    56 | root <root>              | 2015-12-27 09:29 | Update         |    5 
    55 | root <root>              | 2015-12-26 00:44 | I, U           |    6  <
    54 | root <root>              | 2015-12-21 02:47 | Update         |    1 >E
    53 | root <root>              | 2015-12-17 20:31 | Update         |    1 
    52 | root <root>              | 2015-12-16 23:21 | Update         |    6 
    51 | root <root>              | 2015-12-15 20:40 | E, I, O, U     |  325 EE
    50 | root <root>              | 2015-12-04 20:51 | Update         |    5 
    49 | root <root>              | 2015-12-01 20:44 | Install        |    1 EE
    48 | root <root>              | 2015-12-01 20:43 | Erase          |    1 EE
    47 | root <root>              | 2015-12-01 19:21 | Update         |    1 EE
    46 | root <root>              | 2015-11-28 21:58 | Install        |    4 
    45 | root <root>              | 2015-11-27 03:19 | Install        |    1 EE
    44 | root <root>              | 2015-11-27 03:18 | Install        |   11 
    43 | root <root>              | 2015-11-25 03:41 | Update         |    1 ##
    42 | root <root>              | 2015-11-25 03:35 | I, U           |    8 ##
    41 | root <root>              | 2015-11-25 03:34 | Update         |    5 
    40 | root <root>              | 2015-11-24 23:29 | Update         |    3 
    39 | root <root>              | 2015-11-23 00:32 | Update         |    1 
    38 | root <root>              | 2015-11-11 20:08 | Update         |    5 
    37 | root <root>              | 2015-11-08 23:38 | Install        |   23 
    36 | root <root>              | 2015-11-05 19:52 | Install        |    1 
    35 | root <root>              | 2015-11-04 02:10 | E, I, U        |   15 EE
    34 | root <root>              | 2015-11-02 12:43 | Install        |    3 
    33 | root <root>              | 2015-11-02 00:36 | Install        |    1 
    32 | root <root>              | 2015-10-31 00:31 | Install        |    2  <
    31 | root <root>              | 2015-10-31 00:30 | Install        |    3 >
    30 | root <root>              | 2015-10-31 00:29 | Install        |    2 
    29 | root <root>              | 2015-10-31 00:28 | Install        |    2 
    28 | root <root>              | 2015-10-31 00:27 | Install        |    4 
    27 | root <root>              | 2015-10-31 00:27 | Install        |    1 
    26 | root <root>              | 2015-10-31 00:21 | Install        |    2 
    25 | root <root>              | 2015-10-31 00:21 | Install        |    2 
    24 | root <root>              | 2015-10-31 00:21 | Install        |    2 
    23 | root <root>              | 2015-10-31 00:20 | Install        |    6 E<
    22 | root <root>              | 2015-10-31 00:15 | Install        |    3 >
    21 | root <root>              | 2015-10-31 00:14 | Install        |   18 
    20 | root <root>              | 2015-10-31 00:14 | Erase          |    4 
    19 | root <root>              | 2015-10-31 00:14 | Install        |   12  <
    18 | root <root>              | 2015-10-31 00:13 | Install        |    3 >
    17 | root <root>              | 2015-10-31 00:13 | Install        |    6 
    16 | root <root>              | 2015-10-31 00:13 | Install        |    1 
    15 | root <root>              | 2015-10-31 00:13 | Install        |    2 
    14 | root <root>              | 2015-10-31 00:12 | Install        |   22 
    13 | root <root>              | 2015-10-31 00:12 | Install        |    1 
    12 | root <root>              | 2015-10-31 00:11 | Install        |  262 
    11 | root <root>              | 2015-10-09 16:43 | I, O, U        |  175 EE
    10 | root <root>              | 2015-01-28 17:31 | I, U           |   38 
     9 | root <root>              | 2014-10-21 23:49 | Update         |    7 
     8 | root <root>              | 2014-10-10 00:16 | Update         |    5 
     7 | root <root>              | 2014-10-02 21:18 | Install        |    1 
     6 | root <root>              | 2014-10-02 21:16 | Install        |   27 
     5 | root <root>              | 2014-09-26 18:25 | Update         |   11 
     4 | root <root>              | 2014-09-26 00:03 | I, U           |   57 
     3 | root <root>              | 2014-07-10 23:39 | I, U           |   19 EE
     2 | root <root>              | 2014-07-09 01:42 | Install        |    2 
     1 | System <unset>           | 2014-07-09 01:02 | Install        |  292 
history list

eva2000 · Mar 3, 2016

try this
Code:
yum history list openssl-libs

eva2000 · Mar 3, 2016

Sunka but if it's a yum update done months ago, rolling back could roll back alot of packages too so could be problematic

Sunka · Mar 3, 2016

uh, on 24 november, found it

Code:

[root@tvor-ocean ~]# yum history info 40
Loaded plugins: fastestmirror, priorities
Transaction ID : 40
Begin time     : Tue Nov 24 23:29:20 2015
Begin rpmdb    : 720:5cd87a036df3fb68e7e31131b1f55fe745d279bc
End time       :            23:29:22 2015 (2 seconds)
End rpmdb      : 720:c69d86a8c3c76b25efb8735aabdbbeed7eed8f91
User           : root <root>
Return-Code    : Success
Command Line   : --disablerepo=* --enablerepo=axivo update openssl*
Transaction performed with:
    Updated       rpm-4.11.1-25.el7.x86_64                      @base
    Updated       yum-3.4.3-125.el7.centos.noarch               @base
    Updated       yum-plugin-fastestmirror-1.1.31-29.el7.noarch @base
Packages Altered:
    Updated openssl-1:1.0.1e-42.el7.9.x86_64       @updates
    Update          1:1.0.2a-2.el7.x86_64          @axivo
    Updated openssl-devel-1:1.0.1e-42.el7.9.x86_64 @updates
    Update                1:1.0.2a-2.el7.x86_64    @axivo
    Updated openssl-libs-1:1.0.1e-42.el7.9.x86_64  @updates
    Update               1:1.0.2a-2.el7.x86_64     @axivo
history info

What to do now?

eva2000 · Mar 3, 2016

ah you're lucky it's just standalone openssl and openssl-libs and openssl-devel update so easier to rollback without consequences
Code:
yum history undo 40
yum -y remove axivo-release
yum clean all
yum -y update
these commands should remove axivo openssl package from transaction id 40 and remove axivo-release repo and then update you

Sunka · Mar 3, 2016

I am stuck on first one...
What to answer?

Code:

[root@tvor-ocean ~]# yum history undo 40
Loaded plugins: fastestmirror, priorities
Undoing transaction 40, from Tue Nov 24 23:29:20 2015
    Updated openssl-1:1.0.1e-42.el7.9.x86_64       @updates
    Update          1:1.0.2a-2.el7.x86_64          @axivo
    Updated openssl-devel-1:1.0.1e-42.el7.9.x86_64 @updates
    Update                1:1.0.2a-2.el7.x86_64    @axivo
    Updated openssl-libs-1:1.0.1e-42.el7.9.x86_64  @updates
    Update               1:1.0.2a-2.el7.x86_64     @axivo
Loading mirror speeds from cached hostfile
* base: mirror2.hs-esslingen.de
* epel: mirror.23media.de
* extras: mirror2.hs-esslingen.de
* remi-safe: remi.schlundtech.de
* rpmforge: mirror.de.leaseweb.net
* updates: mirror.imt-systems.com
235 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-42.el7.9 will be a downgrade
---> Package openssl.x86_64 1:1.0.2a-2.el7 will be erased
---> Package openssl-devel.x86_64 1:1.0.1e-42.el7.9 will be a downgrade
---> Package openssl-devel.x86_64 1:1.0.2a-2.el7 will be erased
---> Package openssl-libs.x86_64 1:1.0.1e-42.el7.9 will be a downgrade
---> Package openssl-libs.x86_64 1:1.0.2a-2.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package              Arch          Version                   Repository   Size
================================================================================
Downgrading:
openssl              x86_64        1:1.0.1e-42.el7.9         base        711 k
openssl-devel        x86_64        1:1.0.1e-42.el7.9         base        1.2 M
openssl-libs         x86_64        1:1.0.1e-42.el7.9         base        949 k

Transaction Summary
================================================================================
Downgrade  3 Packages

Total download size: 2.8 M
Is this ok [y/d/N]:

eva2000 · Mar 3, 2016

just answer yes = y

Sunka · Mar 3, 2016

Code:

[root@tvor-ocean ~]# yum history undo 40
Loaded plugins: fastestmirror, priorities
Undoing transaction 40, from Tue Nov 24 23:29:20 2015
    Updated openssl-1:1.0.1e-42.el7.9.x86_64       @updates
    Update          1:1.0.2a-2.el7.x86_64          @axivo
    Updated openssl-devel-1:1.0.1e-42.el7.9.x86_64 @updates
    Update                1:1.0.2a-2.el7.x86_64    @axivo
    Updated openssl-libs-1:1.0.1e-42.el7.9.x86_64  @updates
    Update               1:1.0.2a-2.el7.x86_64     @axivo
Loading mirror speeds from cached hostfile
* base: mirror2.hs-esslingen.de
* epel: mirror.23media.de
* extras: mirror2.hs-esslingen.de
* remi-safe: remi.schlundtech.de
* rpmforge: mirror.de.leaseweb.net
* updates: mirror.imt-systems.com
235 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-42.el7.9 will be a downgrade
---> Package openssl.x86_64 1:1.0.2a-2.el7 will be erased
---> Package openssl-devel.x86_64 1:1.0.1e-42.el7.9 will be a downgrade
---> Package openssl-devel.x86_64 1:1.0.2a-2.el7 will be erased
---> Package openssl-libs.x86_64 1:1.0.1e-42.el7.9 will be a downgrade
---> Package openssl-libs.x86_64 1:1.0.2a-2.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package              Arch          Version                   Repository   Size
================================================================================
Downgrading:
openssl              x86_64        1:1.0.1e-42.el7.9         base        711 k
openssl-devel        x86_64        1:1.0.1e-42.el7.9         base        1.2 M
openssl-libs         x86_64        1:1.0.1e-42.el7.9         base        949 k

Transaction Summary
================================================================================
Downgrade  3 Packages

Total download size: 2.8 M
Is this ok [y/d/N]: y
Downloading packages:
(1/3): openssl-1.0.1e-42.el7.9.x86_64.rpm                  | 711 kB   00:00    
(2/3): openssl-libs-1.0.1e-42.el7.9.x86_64.rpm             | 949 kB   00:00    
(3/3): openssl-devel-1.0.1e-42.el7.9.x86_64.rpm            | 1.2 MB   00:00    
--------------------------------------------------------------------------------
Total                                              6.6 MB/s | 2.8 MB  00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 1:openssl-libs-1.0.1e-42.el7.9.x86_64                        1/6
  Installing : 1:openssl-devel-1.0.1e-42.el7.9.x86_64                       2/6
  Installing : 1:openssl-1.0.1e-42.el7.9.x86_64                             3/6
  Cleanup    : 1:openssl-devel-1.0.2a-2.el7.x86_64                          4/6
  Cleanup    : 1:openssl-1.0.2a-2.el7.x86_64                                5/6
  Cleanup    : 1:openssl-libs-1.0.2a-2.el7.x86_64                           6/6
  Verifying  : 1:openssl-libs-1.0.1e-42.el7.9.x86_64                        1/6
  Verifying  : 1:openssl-devel-1.0.1e-42.el7.9.x86_64                       2/6
  Verifying  : 1:openssl-1.0.1e-42.el7.9.x86_64                             3/6
  Verifying  : 1:openssl-libs-1.0.2a-2.el7.x86_64                           4/6
  Verifying  : 1:openssl-devel-1.0.2a-2.el7.x86_64                          5/6
  Verifying  : 1:openssl-1.0.2a-2.el7.x86_64                                6/6

Removed:
  openssl.x86_64 1:1.0.2a-2.el7          openssl-devel.x86_64 1:1.0.2a-2.el7   
  openssl-libs.x86_64 1:1.0.2a-2.el7   

Installed:
  openssl.x86_64 1:1.0.1e-42.el7.9       openssl-devel.x86_64 1:1.0.1e-42.el7.9
  openssl-libs.x86_64 1:1.0.1e-42.el7.9

Complete!
You have new mail in /var/spool/mail/root
[root@tvor-ocean ~]# yum -y remove axivo-release
Loaded plugins: fastestmirror, priorities
Resolving Dependencies
--> Running transaction check
---> Package axivo-release.noarch 0:7-1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package                Arch            Version        Repository          Size
================================================================================
Removing:
axivo-release          noarch          7-1            installed           37 k

Transaction Summary
================================================================================
Remove  1 Package

Installed size: 37 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : axivo-release-7-1.noarch                                     1/1
warning: /etc/yum.repos.d/axivo.repo saved as /etc/yum.repos.d/axivo.repo.rpmsave
  Verifying  : axivo-release-7-1.noarch                                     1/1

Removed:
  axivo-release.noarch 0:7-1                                                   

Complete!
[root@tvor-ocean ~]# yum clean all
Loaded plugins: fastestmirror, priorities
Cleaning repos: base elasticsearch-2.x epel extras mariadb remi-safe rpmforge
              : updates
Cleaning up everything
Cleaning up list of fastest mirrors
[root@tvor-ocean ~]# yum -y update
Loaded plugins: fastestmirror, priorities
base                                                     | 3.6 kB     00:00    
elasticsearch-2.x                                        | 2.9 kB     00:00    
epel/x86_64/metalink                                     |  22 kB     00:00    
epel                                                     | 4.3 kB     00:00    
extras                                                   | 3.4 kB     00:00    
mariadb                                                  | 2.9 kB     00:00    
remi-safe                                                | 2.9 kB     00:00    
rpmforge                                                 | 1.9 kB     00:00    
updates                                                  | 3.4 kB     00:00    
(1/10): base/7/x86_64/group_gz                             | 155 kB   00:00    
(2/10): epel/x86_64/group_gz                               | 169 kB   00:00    
(3/10): epel/x86_64/updateinfo                             | 503 kB   00:00    
(4/10): extras/7/x86_64/primary_db                         | 101 kB   00:00    
(5/10): elasticsearch-2.x/primary_db                       | 4.4 kB   00:00    
(6/10): base/7/x86_64/primary_db                           | 5.3 MB   00:00    
(7/10): mariadb/primary_db                                 |  18 kB   00:00    
(8/10): remi-safe/primary_db                               | 358 kB   00:00    
(9/10): epel/x86_64/primary_db                             | 3.9 MB   00:00    
(10/10): updates/7/x86_64/primary_db                       | 3.1 MB   00:00    
rpmforge/primary_db                                        | 125 kB   00:00    
Determining fastest mirrors
* base: ftp.plusline.de
* epel: mirror.23media.de
* extras: mirror.de.leaseweb.net
* remi-safe: remi.schlundtech.de
* rpmforge: mirror.de.leaseweb.net
* updates: ftp.plusline.de
235 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-42.el7.9 will be updated
---> Package openssl.x86_64 1:1.0.1e-51.el7_2.4 will be an update
---> Package openssl-devel.x86_64 1:1.0.1e-42.el7.9 will be updated
---> Package openssl-devel.x86_64 1:1.0.1e-51.el7_2.4 will be an update
---> Package openssl-libs.x86_64 1:1.0.1e-42.el7.9 will be updated
---> Package openssl-libs.x86_64 1:1.0.1e-51.el7_2.4 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package             Arch         Version                   Repository     Size
================================================================================
Updating:
openssl             x86_64       1:1.0.1e-51.el7_2.4       updates       711 k
openssl-devel       x86_64       1:1.0.1e-51.el7_2.4       updates       1.2 M
openssl-libs        x86_64       1:1.0.1e-51.el7_2.4       updates       951 k

Transaction Summary
================================================================================
Upgrade  3 Packages

Total download size: 2.8 M
Downloading packages:
updates/7/x86_64/prestodelta                               | 248 kB   00:00    
Delta RPMs reduced 2.8 M of updates to 797 k (72% saved)
(1/3): openssl-devel-1.0.1e-42.el7.9_1.0.1e-51.el7_2.4.x86 | 267 kB   00:00    
(2/3): openssl-libs-1.0.1e-42.el7.9_1.0.1e-51.el7_2.4.x86_ | 180 kB   00:00    
(3/3): openssl-1.0.1e-42.el7.9_1.0.1e-51.el7_2.4.x86_64.dr | 350 kB   00:00    
Finishing delta rebuilds of 3 package(s) (2.8 M)
--------------------------------------------------------------------------------
Total                                              457 kB/s | 797 kB  00:01    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : 1:openssl-libs-1.0.1e-51.el7_2.4.x86_64                      1/6
  Updating   : 1:openssl-devel-1.0.1e-51.el7_2.4.x86_64                     2/6
  Updating   : 1:openssl-1.0.1e-51.el7_2.4.x86_64                           3/6
  Cleanup    : 1:openssl-devel-1.0.1e-42.el7.9.x86_64                       4/6
  Cleanup    : 1:openssl-1.0.1e-42.el7.9.x86_64                             5/6
  Cleanup    : 1:openssl-libs-1.0.1e-42.el7.9.x86_64                        6/6
  Verifying  : 1:openssl-devel-1.0.1e-51.el7_2.4.x86_64                     1/6
  Verifying  : 1:openssl-1.0.1e-51.el7_2.4.x86_64                           2/6
  Verifying  : 1:openssl-libs-1.0.1e-51.el7_2.4.x86_64                      3/6
  Verifying  : 1:openssl-libs-1.0.1e-42.el7.9.x86_64                        4/6
  Verifying  : 1:openssl-devel-1.0.1e-42.el7.9.x86_64                       5/6
  Verifying  : 1:openssl-1.0.1e-42.el7.9.x86_64                             6/6

Updated:
  openssl.x86_64 1:1.0.1e-51.el7_2.4                                           
  openssl-devel.x86_64 1:1.0.1e-51.el7_2.4                                     
  openssl-libs.x86_64 1:1.0.1e-51.el7_2.4                                      

Complete!

Sunka · Mar 3, 2016

not updated to 1.0.2g??

eva2000 · Mar 3, 2016

Sunka said: ↑

not updated to 1.0.2g??
Click to expand...

read 1st post at Security - OpenSSL 1.0.2g & Updating Centmin Mod Nginx SSL Support | Centmin Mod Community
CentOS/Redhat backports fixes into existing major versions

Usually Redhat and CentOS back port patches so you will see something like OpenSSL 1.0.1e-XX where XX is incremented version number with fixed patches. Will update this post once Redhat/CentOS have an updated YUM package.
Click to expand...
Seems CentOS YUM OpenSSL updates are out too

For CentOS 7

openssl 1.0.1e-51.el7_2.4
Code (Text):
rpm -qa --changelog openssl | head -n9
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method
For CentOS 6

OpenSSL 1.0.1e-42.el6_7.4
Code (Text):
rpm -qa --changelog openssl | head -n9
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method
Click to expand...
so you have the updated fixed version
Code (Text):
Updated:
  openssl.x86_64 1:1.0.1e-51.el7_2.4                                          
  openssl-devel.x86_64 1:1.0.1e-51.el7_2.4                                    
  openssl-libs.x86_64 1:1.0.1e-51.el7_2.4 

Sunka · Mar 3, 2016

OK, so I have to reboot server now and then switch to Nginx recompile with OPENSSL_VER='1.02g' as it stand here

eva2000 said: ↑

To update if you are using OpenSSL and not the prior default Centmin Mod Nginx LibreSSL, edit your centmin.sh file variable for OPENSSL_VERSION. There's 2 ways to do that:

Best way is to use centmin.sh menu option 23 submenu option 2 for auto updating Centmin Mod code as outlined at centminmod.com/upgrade.html and at Beta Branch - New .08 beta menu option - updating Centmin Mod via git | Centmin Mod Community. If Centmin Mod code has been updated, that method will auto update centmin.sh to latest version which already has OPENSSL_VERSION='1.02g' set. After updating via git centmin.sh menu option 23 submenu options, verify in centmin.sh that OPENSSL_VERSION='1.02g' is set.

If you do not have centmin.sh menu option 23 submenu option 1 for git environment setup or if centmin.sh doesn't have OPENSSL_VERSION='1.02g' set, then you need to manually update and edit your server copy of centmin.sh at /usr/local/src/centminmod/centmin.sh and

change
OPENSSL_VERSION='1.0.2f'

to
OPENSSL_VERSION='1.02g'

Then save centmin.sh. Then run centmin.sh

or use sed to replace 1.0.2f to 1.02g
sed -i "s/OPENSSL_VERSION='1.0.2f'/OPENSSL_VERSION='1.02g'/" centmin.sh

check if OPENSSL_VERSION='1.02g'
grep ^OPENSSL centmin.sh
OPENSSL_VERSION='1.02g' # Use this version of OpenSSL

./centmin.sh

select menu option #4 to upgrade/downgrade Nginx

when prompted select yes or no from YUM checks, select NO (really system OpenSSL update step above wouldn't be needed if you select yes to YUM checks here )

then when prompted specify Nginx version = 1.9.12

let Nginx recompile run to completion, it should say Nginx installed successfully

Check if Nginx compiled against 1.02g using Nginx -V command

Click to expand...

Log in / Register

Forums

Welcome to Centmin Mod Community

CentOS 7.x Rolling back Axivo installed OpenSSL 1.0.2a

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

CentOS 7.x Rolling back Axivo installed OpenSSL 1.0.2a

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

Sunka Well-Known Member

eva2000 Administrator Staff Member

Sunka Well-Known Member

.