OpenSSL CVE-2016-2108

[TrevorH]

The release of the patch for CetnOS 6 is complicated by two factors: first is the release of 6.8 which means that there are about 400 packages to rebuild and there are many complex interdependencies that need to be resolved to see if the openssl package set can be safely rebuilt for 6.7 rather than waiting for the complete 6.8. There are other packages within 6.8 that are dependent on the newer openssl and those need to be found and rebuilt too.

Second and currently more of a showstopper is that the newly released openssl SRPM has a bug that means that it had to be rebuilt before May 10th! All builds from May 10th onwards are failing due to expired certificates which are included in the SRPM. Since RH didn't release this package until the 11th that means that no-one can rebuild it as-is. https://bugzilla.redhat.com/show_bug.cgi?id=1335097 and https://groups.google.com/forum/#!topic ... 1q9rY6KFtk

[toracat]

Also see the following post from Johnny Hughes:

https://lists.centos.org/pipermail/cent ... 59404.html

[Sheepykins]

Bump

[TrevorH]

Unfortunately I'm now fairly sure that the openssl packages will not be made available for 6.7 as there are too many dependencies for that to take place. Most likely now is that they won't be available until the CR repo is set up for 6.7 -> 6.8. Work on that is ongoing and it's hoped that the CR repo might have content in it soon though the definition of "soon" has yet to be finalised!

[gdsavage]

Also see the following post from Johnny Hughes:

https://lists.centos.org/pipermail/cent ... 59404.html

Thanks again Trevor for the updates, and thank you toracat for the mailing list link! It looks like I only receive the CentOS-announce messages, so I'll need to keep a closer eye on that archive in the future

[centminmod]

Unfortunately I'm now fairly sure that the openssl packages will not be made available for 6.7 as there are too many dependencies for that to take place. Most likely now is that they won't be available until the CR repo is set up for 6.7 -> 6.8. Work on that is ongoing and it's hoped that the CR repo might have content in it soon though the definition of "soon" has yet to be finalised!

thanks for update Trevor very unfortunate though for fellow CentOS 6.7 users

[centminmod]

CentOS 6.x CR updates are now available !

Code: Select all

yum list updates --enablerepo=cr --disableplugin=priorities -q | grep openssl
openssl.x86_64                            1.0.1e-48.el6_8.1                   cr
openssl-devel.x86_64                      1.0.1e-48.el6_8.1                   cr

[Sheepykins]

its my understanding that CR is continual release but also on a testing basis until formal release.

Any downsides to installing this on 6.7?

[centminmod]

its my understanding that CR is continual release but also on a testing basis until formal release.

Any downsides to installing this on 6.7?

as opposed to leaving a webserver which tied to system openssl vulnerable ?

so far okay for me on centos 6.7

[ohbob]

its my understanding that CR is continual release but also on a testing basis until formal release.

Any downsides to installing this on 6.7?

as opposed to leaving a webserver which tied to system openssl vulnerable ?

so far okay for me on centos 6.7

Do you use any Control Panel like Plesk or cPanel? Did it have any issues with the CR SSL update?