CentOS

Needed some clarity on the fixes for the above CVEs.

Redhat portal states that openssl-1.0.1e-42.el6_7.4.x86_64.rpm is the fixed version for CVE-2016-0705. Centos repo has been updated as well. However there is no clarity over CVE-2016-0799 and CVE-2016-2842. Does openssl-1.0.1e-42.el6_7.4.x86_64.rpm also fix CVE-2016-0799 and CVE-2016-2842 ?

Thanks

Vijay

The only information that there is is contained in the following links:

https://access.redhat.com/security/cve/CVE-2016-0799
https://bugzilla.redhat.com/show_bug.cgi?id=1312219
https://bugzilla.redhat.com/show_bug.cg ... -2016-2842

If it's fixed in RHEL and they have released it then it should also be fixed in CentOS.

I'd also like to get confirmation on CVE-2016-0799. I need more evidence than "it should be in there".
When I look in the rpm changelogs, I want to see this CVE in there. Until then, I have to conclude this
CVE-2016-0799 is not in openssl-1.0.1e-42.el6_7.4.x86_64.rpm. Here is the top of the changlog:

$ rpm -qp openssl-1.0.1e-42.el6_7.4.x86_64.rpm --changelog | head
...
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method
...

Thanks!

Unfortunately you will need to ask Redhat about that since they are the ones that make the source packages available and only they know the status of the CVE's in question. CentOS just rebuild what comes out of Redhat - there is no independent coding nor inspection nor validation of what Redhat provide for RHEL users. The links I previously posted are all the information that any of us have to go on.

Ok, thanks!

Redhat have just published a security errata https://rhn.redhat.com/errata/RHSA-2016-0996.html that says that it fixes these and the latest openssl vulnerabilities as well. Unfortunately they have as yet to publish the actual SRPM files to allow the fixed versions to be rebuilt but hopefully they'll do that soon. Since RHEL 6.8 was just released upstream and this fixed package is part of that, it may take a little longer than normal to get the fixed versions out though I believe they will be made available for 6.7 and we won't have to wait for 6.8 itself.

US has uploaded their SRPM to http://ftp.redhat.com/redhat/linux/ente ... .1.src.rpm

I've rebuilt it and installed the resulting rpms on my Centos 6.7 systems, they seem to work as expected. The source contains a test cert that expired on 5/10, so the rebuild failed during tests... What I ended up doing is:

date -s 'last week'
rpmbuild --rebuild openssl-1.0.1e-48.el6_8.1.src.rpm
date -s 'next week'

I have no idea what the holdup is for Centos binary rpms.

jamesh wrote:US has uploaded their SRPM to http://ftp.redhat.com/redhat/linux/ente ... .1.src.rpm

I've rebuilt it and installed the resulting rpms on my Centos 6.7 systems, they seem to work as expected. The source contains a test cert that expired on 5/10, so the rebuild failed during tests... What I ended up doing is:

date -s 'last week'
rpmbuild --rebuild openssl-1.0.1e-48.el6_8.1.src.rpm
date -s 'next week'

I have no idea what the holdup is for Centos binary rpms.

thanks @jamesh for the tip/workaround - works fine here too

The fixed openssl package for CentOS 6 is now available via the Continuous Release repository. That repository has all the updates scheduled for 6.8, apart from a few packages (such as anaconda and centos-release) that will still need to be modified prior to final 6.8 release.

As for the holdup, RH released the updated openssl as part of RHEL 6.8. Johnny Hughes describes the CentOS process.