CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Support for security such as Firewalls and securing linux
Post Reply
User avatar
peopleinside
Posts: 64
Joined: 2013/11/13 10:41:22

CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Post by peopleinside » 2016/06/06 15:53:08

Hi,
there are update of OpenSSL available for fix this strong security issue?
Thanks.


User avatar
TrevorH
Forum Moderator
Posts: 29147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Post by TrevorH » 2016/06/06 16:15:07

"Impact: Moderate"

Update to 6.8 and get openssl-1.0.1e-48.el6_8.1.x86_64
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

asche
Posts: 2
Joined: 2016/06/11 08:42:37

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Post by asche » 2016/06/11 08:56:12

hello,

i'm just wondering that the online tests
- https://filippo.io/CVE-2016-2107/
- http://www.ssllabs.com
say that my server is vulnerable.

I installed the latest updates und also restarted nginx.

Code: Select all

server:~$ rpm -q --changelog "openssl" | head -n 7
* Mo Mai 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
- fix CVE-2016-0799 - memory issues in BIO_printf

Code: Select all

server:~$ yum info openssl
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 48.el6_8.1
Size        : 4.0 M
Repo        : installed
From repo   : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.
any idea?

User avatar
TrevorH
Forum Moderator
Posts: 29147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Post by TrevorH » 2016/06/11 09:02:53

Where did you get nginx from?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

asche
Posts: 2
Joined: 2016/06/11 08:42:37

Re: CentOS OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Post by asche » 2016/06/13 14:29:17

TrevorH wrote:Where did you get nginx from?
Thanks for the tip.
The nginx package came with an old openssl version.

Post Reply

Return to “CentOS 6 - Security Support”