OpenSSL CVE-2016-2108

Support for security such as Firewalls and securing linux
User avatar
TrevorH
Forum Moderator
Posts: 32149
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL CVE-2016-2108

Post by TrevorH » 2016/05/12 10:00:44

The release of the patch for CetnOS 6 is complicated by two factors: first is the release of 6.8 which means that there are about 400 packages to rebuild and there are many complex interdependencies that need to be resolved to see if the openssl package set can be safely rebuilt for 6.7 rather than waiting for the complete 6.8. There are other packages within 6.8 that are dependent on the newer openssl and those need to be found and rebuilt too.

Second and currently more of a showstopper is that the newly released openssl SRPM has a bug that means that it had to be rebuilt before May 10th! All builds from May 10th onwards are failing due to expired certificates which are included in the SRPM. Since RH didn't release this package until the 11th that means that no-one can rebuild it as-is. https://bugzilla.redhat.com/show_bug.cgi?id=1335097 and https://groups.google.com/forum/#!topic ... 1q9rY6KFtk
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

User avatar
toracat
Site Admin
Posts: 7490
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: OpenSSL CVE-2016-2108

Post by toracat » 2016/05/12 15:38:14

Also see the following post from Johnny Hughes:

https://lists.centos.org/pipermail/cent ... 59404.html
CentOS Forum FAQ

Sheepykins
Posts: 26
Joined: 2015/06/25 15:41:23

Re: OpenSSL CVE-2016-2108

Post by Sheepykins » 2016/05/13 13:29:29

Bump :)

User avatar
TrevorH
Forum Moderator
Posts: 32149
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL CVE-2016-2108

Post by TrevorH » 2016/05/13 14:16:23

Unfortunately I'm now fairly sure that the openssl packages will not be made available for 6.7 as there are too many dependencies for that to take place. Most likely now is that they won't be available until the CR repo is set up for 6.7 -> 6.8. Work on that is ongoing and it's hoped that the CR repo might have content in it soon though the definition of "soon" has yet to be finalised!
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

gdsavage
Posts: 6
Joined: 2016/05/11 15:37:13

Re: OpenSSL CVE-2016-2108

Post by gdsavage » 2016/05/13 19:02:19

toracat wrote:Also see the following post from Johnny Hughes:

https://lists.centos.org/pipermail/cent ... 59404.html
Thanks again Trevor for the updates, and thank you toracat for the mailing list link! It looks like I only receive the CentOS-announce messages, so I'll need to keep a closer eye on that archive in the future :D

User avatar
centminmod
Posts: 44
Joined: 2014/07/12 14:28:06
Location: Brisbane, Australia
Contact:

Re: OpenSSL CVE-2016-2108

Post by centminmod » 2016/05/14 04:25:53

TrevorH wrote:Unfortunately I'm now fairly sure that the openssl packages will not be made available for 6.7 as there are too many dependencies for that to take place. Most likely now is that they won't be available until the CR repo is set up for 6.7 -> 6.8. Work on that is ongoing and it's hoped that the CR repo might have content in it soon though the definition of "soon" has yet to be finalised!
thanks for update Trevor very unfortunate though for fellow CentOS 6.7 users

User avatar
centminmod
Posts: 44
Joined: 2014/07/12 14:28:06
Location: Brisbane, Australia
Contact:

Re: OpenSSL CVE-2016-2108

Post by centminmod » 2016/05/18 21:09:27

CentOS 6.x CR updates are now available !

Code: Select all

yum list updates --enablerepo=cr --disableplugin=priorities -q | grep openssl
openssl.x86_64                            1.0.1e-48.el6_8.1                   cr
openssl-devel.x86_64                      1.0.1e-48.el6_8.1                   cr

Sheepykins
Posts: 26
Joined: 2015/06/25 15:41:23

Re: OpenSSL CVE-2016-2108

Post by Sheepykins » 2016/05/19 10:02:15

its my understanding that CR is continual release but also on a testing basis until formal release.

Any downsides to installing this on 6.7?

User avatar
centminmod
Posts: 44
Joined: 2014/07/12 14:28:06
Location: Brisbane, Australia
Contact:

Re: OpenSSL CVE-2016-2108

Post by centminmod » 2016/05/19 15:03:35

Sheepykins wrote:its my understanding that CR is continual release but also on a testing basis until formal release.

Any downsides to installing this on 6.7?
as opposed to leaving a webserver which tied to system openssl vulnerable ?

so far okay for me on centos 6.7

ohbob
Posts: 1
Joined: 2016/05/19 17:25:00

Re: OpenSSL CVE-2016-2108

Post by ohbob » 2016/05/19 17:27:12

centminmod wrote:
Sheepykins wrote:its my understanding that CR is continual release but also on a testing basis until formal release.

Any downsides to installing this on 6.7?
as opposed to leaving a webserver which tied to system openssl vulnerable ?

so far okay for me on centos 6.7
Do you use any Control Panel like Plesk or cPanel? Did it have any issues with the CR SSL update?

Post Reply