Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Support for security such as Firewalls and securing linux
Post Reply
fpalero
Posts: 6
Joined: 2016/09/05 05:49:10

Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Post by fpalero » 2016/09/05 06:15:43

Hi,

Any one can help on how to applied this patch (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108) on Centos 6.8?

I command on checking one of the CVE;

$ openssl version
OpenSSL 1.0.2h 3 May 2016

$ yum --cve CVE-2016-2108 info updates
Loaded plugins: security
Limiting package lists to security relevant ones
epel/updateinfo | 738 kB 00:00
No packages needed for security; 0 packages available

$ yum updateinfo info --cve CVE-2016-2108
Loaded plugins: security
CVE "CVE-2016-2108" not found applicable for this system
updateinfo info done

$ rpm -q --changelog "CVE-2016-2108" | less
package CVE-2016-2108 is not installed

$ rpm -q --changelog openssl | grep "CVE-2016-2108"
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder

Thanks in advance.

Regards,
FSPalero

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Post by avij » 2016/09/05 08:08:37

CentOS does not currently provide the necessary information in its repositories so that the --cve option would work. Commands like "yum updateinfo list security all" won't work for the same reason.

The proper way to check if a fix is included is to check the changelog, as you did in your last example.

Code: Select all

$ rpm -q --changelog openssl | grep -e CVE-2016-2108 -e CVE-2016-0705 -e CVE-2016-0799
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-0799 - memory issues in BIO_printf
- fix CVE-2016-0705 - double-free in DSA private key parsing
$ rpm -q openssl
openssl-1.0.1e-48.el6_8.1.x86_64
Note also that some CVEs do not affect packages shipped by CentOS. For example, some packages may have the vulnerable functionality disabled at compile time.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Post by avij » 2016/09/05 08:11:10

In addition to the above..
fpalero wrote:$ openssl version
OpenSSL 1.0.2h 3 May 2016
That does not look like a CentOS 6 openssl. Here's mine:

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

fpalero
Posts: 6
Joined: 2016/09/05 05:49:10

Re: Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Post by fpalero » 2016/09/05 08:21:37

Hi Avij,

Thank you for the quick reply!

Just to confirm the "fix" word in the list below saying that it was patched or not?

$ rpm -q --changelog openssl | grep -e CVE-2016-2108 -e CVE-2016-0705 -e CVE-2016-0799
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-0799 - memory issues in BIO_printf
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-0799 - memory issues in BIO_printf
- fix CVE-2016-0705 - double-free in DSA private key parsing

$ rpm -q openssl
openssl-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.i686

Regards,
FSPalero

fpalero
Posts: 6
Joined: 2016/09/05 05:49:10

Re: Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Post by fpalero » 2016/09/05 08:25:05

$ yum updateinfo list security all
Loaded plugins: security
FEDORA-EPEL-2015-7198 security Django14-1.4.21-1.el6.noarch
FEDORA-EPEL-2015-7198 security Django14-doc-1.4.21-1.el6.noarch
FEDORA-EPEL-2016-eb24bfea0d security GraphicsMagick-1.3.23-4.el6.x86_64
FEDORA-EPEL-2016-c5dae2a582 security GraphicsMagick-1.3.24-1.el6.x86_64
FEDORA-EPEL-2016-eb24bfea0d security GraphicsMagick-c++-1.3.23-4.el6.x86_64
FEDORA-EPEL-2016-c5dae2a582 security GraphicsMagick-c++-1.3.24-1.el6.x86_64
FEDORA-EPEL-2016-eb24bfea0d security GraphicsMagick-c++-devel-1.3.23-4.el6.x86_64
FEDORA-EPEL-2016-c5dae2a582 security GraphicsMagick-c++-devel-1.3.24-1.el6.x86_64
FEDORA-EPEL-2016-eb24bfea0d security GraphicsMagick-devel-1.3.23-4.el6.x86_64
FEDORA-EPEL-2016-c5dae2a582 security GraphicsMagick-devel-1.3.24-1.el6.x86_64
FEDORA-EPEL-2016-eb24bfea0d security GraphicsMagick-doc-1.3.23-4.el6.noarch
FEDORA-EPEL-2016-c5dae2a582 security GraphicsMagick-doc-1.3.24-1.el6.noarch
FEDORA-EPEL-2016-eb24bfea0d security GraphicsMagick-perl-1.3.23-4.el6.x86_64
FEDORA-EPEL-2016-c5dae2a582 security GraphicsMagick-perl-1.3.24-1.el6.x86_64
....
....

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Post by avij » 2016/09/05 10:26:43

fpalero wrote:Just to confirm the "fix" word in the list below saying that it was patched or not?
Yes, those vulnerabilities were indeed fixed in the openssl package as shipped by CentOS.
fpalero wrote:$ rpm -q openssl
openssl-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.i686
You seem to have the newest CentOS openssl packages, installed, but your openssl version outputs that your system is not actually using CentOS openssl, but perhaps an openssl that you have compiled yourself. If you run which openssl, does it output /usr/bin/openssl or something like /usr/local/bin/openssl ? If the latter, you are not using the CentOS version of openssl.

Please note that depending on how your system is set up, your applications (web server etc) may not be using the up-to-date CentOS openssl, but a version of openssl that you have compiled yourself. Determining if your version of openssl has those CVEs fixed or not can't be done with rpm or yum, because your version wasn't installed with rpm or yum.

https://cve.mitre.org/cgi-bin/cvename.c ... -2016-0705 -- "1.0.2 before 1.0.2g allows remote attackers..." -- your OpenSSL 1.0.2h is not vulnerable
https://cve.mitre.org/cgi-bin/cvename.c ... -2016-0799 -- "1.0.2 before 1.0.2g improperly calculates..." -- your OpenSSL 1.0.2h is not vulnerable
https://cve.mitre.org/cgi-bin/cvename.c ... -2016-2108 -- "1.0.2 before 1.0.2c allows remote attackers..." -- your OpenSSL 1.0.2h is not vulnerable

Even though you seem to be safe for now, pay attention that as you seem to be using your own version of openssl, merely running yum update every now and then will not be sufficient to fix any possible problems with your openssl. That would affect only the CentOS openssl, but it would not update whatever openssl you have installed yourself.

https://access.redhat.com/security/updates/backporting may also be useful.
fpalero wrote:$ yum updateinfo list security all
Loaded plugins: security
FEDORA-EPEL-2015-7198 security Django14-1.4.21-1.el6.noarch
FEDORA-EPEL-2015-7198 security Django14-doc-1.4.21-1.el6.noarch
Yes, EPEL does provide the data that is used by the security plugin. Those are EPEL packages, not CentOS packages.

fpalero
Posts: 6
Joined: 2016/09/05 05:49:10

Re: Centos 6.8 OpenSSL (CVE-2016-0705, CVE-2016-0799 and CVE-2016-2108)

Post by fpalero » 2016/09/05 23:43:13

Hi Avij,

Sorry for delay response.

Many thanks for the help it's very clear for me now the OpenSSL CVE package information for the said OpenSSL.

Again, thank very much.

Regards,
FSPalero

Post Reply