CentOS6.5 Heartbleed bug, openssl update problem

[chelomm@gmail.com]

Hi

This is about Heartbleed bug and this one most likely has already been fixed but I have spent few hours trying before deciding to post my question on this forum and currently feel really stupid for not been able to work it out.

I have a stand-alone CentOS6.5 server, kernel 2.6.32-431.el6.x86_64.

I am trying to update openssl to the version where the heartbleed bug is fixed.
I have se3arch the web for a while and see that latest openssl rpm is:

openssl-1.0.1e-48.el6.x86_64.rpm

which I have downloaded and am trying to install locally as below:

[root@enigma-nms-slave admin]#
[root@enigma-nms-slave admin]# rpm -i openssl-1.0.1e-48.el6.x86_64.rpm
file /usr/bin/openssl from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/.libcrypto.so.1.0.1e.hmac from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/.libssl.so.1.0.1e.hmac from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/libcrypto.so.1.0.1e from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/libssl.so.1.0.1e from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/lib4758cca.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libaep.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libatalla.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libcapi.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libchil.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libcswift.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libgmp.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libnuron.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libpadlock.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libsureware.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/lib64/openssl/engines/libubsec.so from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/doc/openssl-1.0.1e/README.FIPS from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/ca.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/ciphers.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/cms.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/ec.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/ocsp.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/openssl.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/req.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/s_client.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/s_server.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/s_time.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/smime.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/speed.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/ts.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/verify.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
file /usr/share/man/man1/x509.1ssl.gz from install of openssl-1.0.1e-48.el6.x86_64 conflicts with file from package openssl-1.0.1e-15.el6.x86_64
[root@enigma-nms-slave admin]#

I don't know how to solve this.

Tried to do this via yum with no luck:

# yum update openssl
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Update Process
Loading mirror speeds from cached hostfile
No Packages marked for Update


I would really appreciate any help

Thank you

Mike

[TrevorH]

Where are your yum configs pointing to? Look at /etc/yum.repos.d/CentOS-Base.repo and make sure that it doesn't have "6.5" hard coded in the urls listed. Ideally you should update the entire system as updates are not tested individually so installing just the latest openssl package may not work with the rest of the system being backlevel. If your yum config file is pointing at a locally maintained internal mirror then I'd say that mirror is massively out of date and needs updating.

[chelomm@gmail.com]

Thank TrevorH

I have amended the /etc/yum.repos.d/CentOS-Base.repo as per your advice to remove the hard-coded links to 6.5 repo.

All worked OK.

Thank you very much!!!

Any advice on how to do this on the server disconnected from the internet?

Before running yum install

I ran it with download only option and it saved following 2 rpm in the local dir.

[root@enigma-nms-slave openssl_yum_download]# ll
total 2764
-rw-r--r-- 1 root root 1600772 Mar 24 01:04 openssl-1.0.1e-57.el6.x86_64.rpm
-rw-r--r-- 1 root root 1227684 Mar 24 01:00 openssl-devel-1.0.1e-57.el6.x86_64.rpm
[root@enigma-nms-slave openssl_yum_download]#

But when I tried to run

rpm -i openssl-1.0.1e-57.el6.x86_64.rpm

It gave me dependencies errors.

Here is what yum did:

#####################################
# yum install openssl
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.overthewire.com.au
* extras: mirror.nsw.coloau.com.au
* updates: mirror.overthewire.com.au
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-15.el6 will be updated
--> Processing Dependency: openssl = 1.0.1e-15.el6 for package: openssl-devel-1.0.1e-15.el6.x86_64
---> Package openssl.x86_64 0:1.0.1e-57.el6 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-15.el6 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-57.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================================================================================
Updating:
openssl x86_64 1.0.1e-57.el6 base 1.5 M
Updating for dependencies:
openssl-devel x86_64 1.0.1e-57.el6 base 1.2 M

Transaction Summary
=============================================================================================================================================================================================================================================
Upgrade 2 Package(s)

Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): openssl-1.0.1e-57.el6.x86_64.rpm | 1.5 MB 00:02
(2/2): openssl-devel-1.0.1e-57.el6.x86_64.rpm | 1.2 MB 00:01
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 679 kB/s | 2.7 MB 00:04
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Updating : openssl-1.0.1e-57.el6.x86_64 1/4
Updating : openssl-devel-1.0.1e-57.el6.x86_64 2/4
Cleanup : openssl-devel-1.0.1e-15.el6.x86_64 3/4
Cleanup : openssl-1.0.1e-15.el6.x86_64 4/4
Verifying : openssl-1.0.1e-57.el6.x86_64 1/4
Verifying : openssl-devel-1.0.1e-57.el6.x86_64 2/4
Verifying : openssl-devel-1.0.1e-15.el6.x86_64 3/4
Verifying : openssl-1.0.1e-15.el6.x86_64 4/4

Updated:
openssl.x86_64 0:1.0.1e-57.el6

Dependency Updated:
openssl-devel.x86_64 0:1.0.1e-57.el6

Complete!
[root@enigma-nms-slave openssl_yum_download]#
#################################################

Rebooted the server and ran Heartbleed detection script: ./CVE-2014-0160-checker.py 192.168.1.110

All went good!

Thank you very much again for your help!

[TrevorH]

The usual method of updating servers without internet access is to set up your own local mirror (instructions in the wiki)

[chelomm@gmail.com]

Thank you much appreciated!