OpenSSL CVE-2016-2108
Re: OpenSSL CVE-2016-2108
The release of the patch for CetnOS 6 is complicated by two factors: first is the release of 6.8 which means that there are about 400 packages to rebuild and there are many complex interdependencies that need to be resolved to see if the openssl package set can be safely rebuilt for 6.7 rather than waiting for the complete 6.8. There are other packages within 6.8 that are dependent on the newer openssl and those need to be found and rebuilt too.
Second and currently more of a showstopper is that the newly released openssl SRPM has a bug that means that it had to be rebuilt before May 10th! All builds from May 10th onwards are failing due to expired certificates which are included in the SRPM. Since RH didn't release this package until the 11th that means that no-one can rebuild it as-is. https://bugzilla.redhat.com/show_bug.cgi?id=1335097 and https://groups.google.com/forum/#!topic ... 1q9rY6KFtk
Second and currently more of a showstopper is that the newly released openssl SRPM has a bug that means that it had to be rebuilt before May 10th! All builds from May 10th onwards are failing due to expired certificates which are included in the SRPM. Since RH didn't release this package until the 11th that means that no-one can rebuild it as-is. https://bugzilla.redhat.com/show_bug.cgi?id=1335097 and https://groups.google.com/forum/#!topic ... 1q9rY6KFtk
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Re: OpenSSL CVE-2016-2108
Also see the following post from Johnny Hughes:
https://lists.centos.org/pipermail/cent ... 59404.html
https://lists.centos.org/pipermail/cent ... 59404.html
CentOS Forum FAQ
Re: OpenSSL CVE-2016-2108
Unfortunately I'm now fairly sure that the openssl packages will not be made available for 6.7 as there are too many dependencies for that to take place. Most likely now is that they won't be available until the CR repo is set up for 6.7 -> 6.8. Work on that is ongoing and it's hoped that the CR repo might have content in it soon though the definition of "soon" has yet to be finalised!
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke
Re: OpenSSL CVE-2016-2108
Thanks again Trevor for the updates, and thank you toracat for the mailing list link! It looks like I only receive the CentOS-announce messages, so I'll need to keep a closer eye on that archive in the futuretoracat wrote:Also see the following post from Johnny Hughes:
https://lists.centos.org/pipermail/cent ... 59404.html

- centminmod
- Posts: 44
- Joined: 2014/07/12 14:28:06
- Location: Brisbane, Australia
- Contact:
Re: OpenSSL CVE-2016-2108
thanks for update Trevor very unfortunate though for fellow CentOS 6.7 usersTrevorH wrote:Unfortunately I'm now fairly sure that the openssl packages will not be made available for 6.7 as there are too many dependencies for that to take place. Most likely now is that they won't be available until the CR repo is set up for 6.7 -> 6.8. Work on that is ongoing and it's hoped that the CR repo might have content in it soon though the definition of "soon" has yet to be finalised!
- centminmod
- Posts: 44
- Joined: 2014/07/12 14:28:06
- Location: Brisbane, Australia
- Contact:
Re: OpenSSL CVE-2016-2108
CentOS 6.x CR updates are now available !
Code: Select all
yum list updates --enablerepo=cr --disableplugin=priorities -q | grep openssl
openssl.x86_64 1.0.1e-48.el6_8.1 cr
openssl-devel.x86_64 1.0.1e-48.el6_8.1 cr
-
- Posts: 26
- Joined: 2015/06/25 15:41:23
Re: OpenSSL CVE-2016-2108
its my understanding that CR is continual release but also on a testing basis until formal release.
Any downsides to installing this on 6.7?
Any downsides to installing this on 6.7?
- centminmod
- Posts: 44
- Joined: 2014/07/12 14:28:06
- Location: Brisbane, Australia
- Contact:
Re: OpenSSL CVE-2016-2108
as opposed to leaving a webserver which tied to system openssl vulnerable ?Sheepykins wrote:its my understanding that CR is continual release but also on a testing basis until formal release.
Any downsides to installing this on 6.7?
so far okay for me on centos 6.7
Re: OpenSSL CVE-2016-2108
Do you use any Control Panel like Plesk or cPanel? Did it have any issues with the CR SSL update?centminmod wrote:as opposed to leaving a webserver which tied to system openssl vulnerable ?Sheepykins wrote:its my understanding that CR is continual release but also on a testing basis until formal release.
Any downsides to installing this on 6.7?
so far okay for me on centos 6.7