Learn about Centmin Mod LEMP Stack today
Register Now

Updating OpenSSL 1.0.1i for Centmin Mod [discussion]

Discussion in 'System Administration' started by eva2000, Aug 7, 2014.

  1. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    2:45 AM
    Actually you do a lot more on Centminmod. You sir are a scripting hero.:D
    But we both have the same scope, having latest software available primarily for our use and share it with Open Source community. In case you wonder:
    Code:
    Patch1:            %{name}-1.0.1-beta2-rpmbuild.patch
    Patch2:            %{name}-1.0.0f-defaults.patch
    Patch4:            %{name}-1.0.0-beta5-enginesdir.patch
    Patch5:            %{name}-0.9.8a-no-rpath.patch
    Patch6:            %{name}-0.9.8b-test-use-localhost.patch
    Patch7:            %{name}-1.0.0-timezone.patch
    Patch8:            %{name}-1.0.1c-perlfind.patch
    Patch9:            %{name}-1.0.1c-aliasing.patch
    Patch23:        %{name}-1.0.1c-default-paths.patch
    Patch24:        %{name}-1.0.1e-issuer-hash.patch
    Patch33:        %{name}-1.0.0-beta4-ca-dir.patch
    Patch34:        %{name}-0.9.6-x509.patch
    Patch35:        %{name}-0.9.8j-version-add-engines.patch
    Patch36:        %{name}-1.0.1i-doc-noeof.patch
    Patch38:        %{name}-1.0.1-beta2-ssl-op-all.patch
    Patch39:        %{name}-1.0.1h-ipv6-apps.patch
    Patch45:        %{name}-1.0.1e-env-zlib.patch
    Patch47:        %{name}-1.0.0-beta5-readme-warning.patch
    Patch49:        %{name}-1.0.1i-algo-doc.patch
    Patch50:        %{name}-1.0.1-beta2-dtls1-abi.patch
    Patch51:        %{name}-1.0.1e-version.patch
    Patch60:        %{name}-1.0.0d-apps-dgst.patch
    Patch63:        %{name}-1.0.0d-xmpp-starttls.patch
    Patch65:        %{name}-1.0.0e-chil-fixes.patch
    Patch66:        %{name}-1.0.1-pkgconfig-krb5.patch
    Patch68:        %{name}-1.0.1e-secure-getenv.patch
    Patch69:        %{name}-1.0.1c-dh-1024.patch
    Patch77:        %{name}-1.0.1e-weak-ciphers.patch
    Patch80:        %{name}-1.0.1e-enc-fail.patch
    Patch81:        %{name}-1.0.1-beta2-padlock64.patch
    Patch84:         %{name}-1.0.1i-trusted-first.patch
    Patch85:         %{name}-1.0.1e-arm-use-elf-auxv-caps.patch
    Patch89:        %{name}-1.0.1e-ephemeral-key-size.patch

     
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    40,322
    8,930
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,753
    Local Time:
    4:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah true it's for my use which drives what gets put into Centmin Mod. I am a bash shell scripting junkie :D
     
  3. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    2:45 AM
    @eva2000, building RPMs is all about scripting also, hehe. And patching, which is probably the most important part, compared to compiling from source. Patching is beneficial because there are many fixes not available into originally released source code.
     
  4. eva2000

    eva2000 Administrator Staff Member

    40,322
    8,930
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,753
    Local Time:
    4:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah true.. only ever built RPMs for MariaDB, MySQL, WebScaleSQL MySQL and Apache 2.4. I have no interest in maintaining and following so closely the respective software bugs, patches etc. Just give me the source file hehe
     
  5. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    2:45 AM
    @eva2000, I released OpenSSL 1.0.1i for RHEL7. I'm starting to build all packages slowly. :)
    Code:
    # yum --disablerepo=* --enablerepo=axivo list | egrep 'axivo|Packages'
    Installed Packages
    GeoIP.x86_64                           1.6.2-1.el7                     @axivo  
    GeoIP-devel.x86_64                     1.6.2-1.el7                     @axivo  
    axivo-release.noarch                   7-1                             installed
    openssl.x86_64                         1:1.0.1i-1.el7                  @axivo  
    openssl-libs.x86_64                    1:1.0.1i-1.el7                  @axivo  
    Available Packages
    GeoIP-update.noarch                    1.6.2-1.el7                     axivo    
    openssl-devel.x86_64                   1:1.0.1i-1.el7                  axivo    
    openssl-perl.x86_64                    1:1.0.1i-1.el7                  axivo    
    openssl-static.x86_64                  1:1.0.1i-1.el7                  axivo
    It is a start, heh... Also, update works for me:
    Code:
    # yum -q list openssl
    Installed Packages
    openssl.x86_64              1:1.0.1e-34.el7_0.3               @updates
    
    # yum --enablerepo=axivo update openssl
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
    * base: centos.mirrors.atwab.net
    * extras: centos.mirrors.atwab.net
    * updates: centos.mirrors.atwab.net
    Resolving Dependencies
    --> Running transaction check
    ---> Package openssl.x86_64 1:1.0.1e-34.el7_0.3 will be updated
    ---> Package openssl.x86_64 1:1.0.1i-1.el7 will be an update
    --> Processing Dependency: openssl-libs = 1:1.0.1i-1.el7 for package: 1:openssl-1.0.1i-1.el7.x86_64
    --> Running transaction check
    ---> Package openssl-libs.x86_64 1:1.0.1e-34.el7_0.3 will be updated
    ---> Package openssl-libs.x86_64 1:1.0.1i-1.el7 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==================================================================
    Package          Arch       Version              Repository
                                                                 Size
    ==================================================================
    Updating:
    openssl          x86_64     1:1.0.1i-1.el7       axivo     580 k
    Updating for dependencies:
    openssl-libs     x86_64     1:1.0.1i-1.el7       axivo     1.0 M
    
    Transaction Summary
    ==================================================================
    Upgrade  1 Package (+1 Dependent package)
    
    Total download size: 1.5 M
    Is this ok [y/d/N]: y
    Downloading packages:
    No Presto metadata available for axivo
    (1/2): openssl-1.0.1i-1.el7.x86_64.rpm       | 580 kB   00:02  
    (2/2): openssl-libs-1.0.1i-1.el7.x86_64.rpm  | 1.0 MB   00:02  
    ------------------------------------------------------------------
    Total                                554 kB/s | 1.5 MB  00:02  
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Updating   : 1:openssl-libs-1.0.1i-1.el7.x86_64             1/4
      Updating   : 1:openssl-1.0.1i-1.el7.x86_64                  2/4
      Cleanup    : 1:openssl-1.0.1e-34.el7_0.3.x86_64             3/4
      Cleanup    : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64        4/4
      Verifying  : 1:openssl-libs-1.0.1i-1.el7.x86_64             1/4
      Verifying  : 1:openssl-1.0.1i-1.el7.x86_64                  2/4
      Verifying  : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64        3/4
      Verifying  : 1:openssl-1.0.1e-34.el7_0.3.x86_64             4/4
    
    Updated:
      openssl.x86_64 1:1.0.1i-1.el7                                
    
    Dependency Updated:
      openssl-libs.x86_64 1:1.0.1i-1.el7                            
    
    Complete!
     
    Last edited: Aug 10, 2014
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    40,322
    8,930
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,753
    Local Time:
    4:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  7. Floren

    Floren Active Member

    148
    77
    28
    Jun 6, 2014
    Ratings:
    +77
    Local Time:
    2:45 AM
    @eva2000, should take me few weeks, just in time for MariaDB 10.0.13. :)
    Also, I updated the previous post, check how update works wonderful, heh.
     
  8. eva2000

    eva2000 Administrator Staff Member

    40,322
    8,930
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,753
    Local Time:
    4:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    hehe update, which ever works ... use it :)

    Ah yes MariaDB 10.0.13 another on my list to do.. busy with some client work right now though so got to take care of my clients first - increased interest in SSL certificates hehe
     
    • Like Like x 1
  9. eva2000

    eva2000 Administrator Staff Member

    40,322
    8,930
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,753
    Local Time:
    4:45 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Looks like CentOS finally provided an updated package for
    • OpenSSL 1.0.1e-34.el7_0.4 for CentOS 7
    • OpenSSL 1.0.1e-16.el6_5.15 for CentOS 6
    on CentOS 7
    Code:
    yum list updates | grep openssl
    openssl.x86_64                            1:1.0.1e-34.el7_0.4            updates
    openssl-devel.x86_64                      1:1.0.1e-34.el7_0.4            updates
    on CentOS 6
    Code:
    yum list updates | grep openssl
    openssl.x86_64                             1.0.1e-16.el6_5.15            updates
    openssl-devel.x86_64                       1.0.1e-16.el6_5.15            updates
    To update
    Code:
    yum -y update
    Check the OpenSSL change log which has fixes dated Aug 08, 2014

    For CentOS 7
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <[email protected]> 1.0.1e-34.4
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    
    For CentOS 6
    Code:
    rpm -qa -changelog openssl | head -n9
    * Fri Aug 08 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.15
    - fix CVE-2014-3505 - doublefree in DTLS packet processing
    - fix CVE-2014-3506 - avoid memory exhaustion in DTLS
    - fix CVE-2014-3507 - avoid memory leak in DTLS
    - fix CVE-2014-3508 - fix OID handling to avoid information leak
    - fix CVE-2014-3509 - fix race condition when parsing server hello
    - fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS
    - fix CVE-2014-3511 - disallow protocol downgrade via fragmentation
    
    Updated all my servers :D
     
    Last edited: Aug 14, 2014
..