OpenSSL CVE-2016-2108

Support for security such as Firewalls and securing linux
jpritchard
Posts: 3
Joined: 2016/05/04 11:16:52

OpenSSL CVE-2016-2108

Post by jpritchard » 2016/05/04 11:30:04

With regards to the latest OpenSSL Vulnerabilities announcement
CVE-2016-2108
CVE-2016-2107

When can we expect this to be reflected as part of the Centos YUM updates?
https://bugzilla.redhat.com/show_bug.cgi?id=1331426#c9

OpenSSL
https://www.openssl.org/news/vulnerabilities.html

Kind Regards
John Pritchard

User avatar
TrevorH
Forum Moderator
Posts: 29438
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL CVE-2016-2108

Post by TrevorH » 2016/05/04 12:06:30

Redhat have not yet released patches for RHEL and there is no communication between RH and CentOS so we have no idea when they will do so. When they do then the packages will be rebuilt and tested and released for CentOS too. Unfortunately it's not something we have control over. However, even paying RHEL customers don't yet have a fix for it. The best you can do is monitor the various bugzilla entries for CVE-2016-2105 through 2109 to see if they contain any hints as to the current progress.

https://access.redhat.com/security/cve/CVE-2016-2108
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

jpritchard
Posts: 3
Joined: 2016/05/04 11:16:52

Re: OpenSSL CVE-2016-2108

Post by jpritchard » 2016/05/05 11:53:07

I am getting a little concerned (as is my client) with the time passing before this "Severity: High" bug is fixed, especially as a patch from OpenSSL has already been released.

"openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository"
As securing our servers is my highest priority. If I manually install openssl-1.0.2h or even try installing using the Fedora RPM from above how hard is it to roll it back to Centos upgrade stream later?

I am aware Centos is free and likes to strictly stick to the upstream upgrade path, however I am concerned whether this policy brings into question whether Centos is still a viable option for use as a secure production server?

Anyone else share my views or manage to install/use openssl-1.0.2h onto Centos 7 ?

Thx
J.

User avatar
TrevorH
Forum Moderator
Posts: 29438
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL CVE-2016-2108

Post by TrevorH » 2016/05/05 11:59:04

Do not use packages designed for Fedora on your CentOS system - they will break it, possibly beyond repair. I do not have an answer for you as CentOS is dependent on Redhat releasing packages for RHEL and since there are none - not even for paid RH subscribers - we cannot go further.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
TrevorH
Forum Moderator
Posts: 29438
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL CVE-2016-2108

Post by TrevorH » 2016/05/10 13:10:36

Updated openssl-1.0.1e-51.el7_2.5 packages for CentOS 7 were published and should now be available via the mirror network.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

jpritchard
Posts: 3
Joined: 2016/05/04 11:16:52

Re: OpenSSL CVE-2016-2108

Post by jpritchard » 2016/05/11 12:07:19

Thanks Trevor
(you do a marvelous job).

To check what version openssl package is installed
# package='openssl'
# yum info "${package}"

to check patches for CVE-2016-2107, CVE-2016-2108 have been applied
# rpm -q --changelog "${package}" | less

---- ---- ---- ----
For those interested in the Redhat timeline
CVE-2016-2107, CVE-2016-2108

- 28th April 2016 - Reported to/by Redhat
- 3rd May 2016 - Announced on authors website with possible patch/solution
- 10th May 2016 - openssl-1.0.1k-15.fc22 has been pushed to the Fedora 22 stable
- 11th May 2016 - openssl-1.0.1e-51.el7_2.5 packages for CentOS 7 published

a possible 12-13 day lead time

gdsavage
Posts: 6
Joined: 2016/05/11 15:37:13

Re: OpenSSL CVE-2016-2108

Post by gdsavage » 2016/05/11 15:43:03

Thanks for keeping us updated Trevor! Do you have any information about when this update will be available for CentOS 6?

travelerjjm
Posts: 1
Joined: 2016/05/11 16:13:21

Re: OpenSSL CVE-2016-2108

Post by travelerjjm » 2016/05/11 16:17:46

A similar query regarding CentOS 6 was redirected here. Will there be a CentOS 6 version of the updated package soon?
TIA

x042
Posts: 1
Joined: 2016/05/11 17:28:52

Re: OpenSSL CVE-2016-2108

Post by x042 » 2016/05/11 17:30:22

I see that RH pushed out the update for EL6 yesterday morning, and as of yet do not see it in the CentOS6 Updates repository, any ETA for openssl-1.0.1e-48.el6_8.1?

twalther
Posts: 1
Joined: 2016/05/11 18:25:31

Re: OpenSSL CVE-2016-2108

Post by twalther » 2016/05/11 18:33:04

Hello,

When can we expect an update for CentOs 6?
Redhat has already released a fix for RHEL6 (yesterday -> https://rhn.redhat.com/errata/RHSA-2016-0996.html)

Torsten

Post Reply

Return to “CentOS 7 - Security Support”