OpenSSL vulnerability (CVE-2014-0224)
-
- Posts: 2
- Joined: 2014/06/05 16:32:36
OpenSSL vulnerability (CVE-2014-0224)
When can we expect updated packages for OpenSSL (i.e. 0.9.8za, 1.0.0m, 1.0.1h) to be available from yum?
Re: OpenSSL vulnerability (CVE-2014-0224)
The CentOS 6 packages are already available and should be on the mirrors now. If you do not see them then run yum clean metadata and retry the update. The CentOS 5 packages are taking a bit longer to build and will be available soon (for some definition of soon). As usual the version numbers stay the same and the minor numbers increment so do not look for 1.0.1h or 0.9.8za but for 1.0.1e-16.el6_5.14 and 0.9.8e-18.el6_5.2 on CentOS 6.
If you want to know this stuff in the future, subscribe to the centos-announce mailing list and get the mails delivered straight to your inbox and know about this approximately 2 hours ago...
Edit: All packages are now built and synced to the CentOS mirror system so it should be a matter of running yum update to get up to date. The fixes are as follows:
For CentOS 6 you should have
openssl-1.0.1e-16.el6_5.14
openssl098e-0.9.8e-18.el6_5.2
For CentOS 5 you should have
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1
If you do not have those versions (or higher) installed or they do not appear on a yum update openssl\* then you should try yum clean metadata and repeat the update. If the update is still not available then check that you have any openssl packages installed by using rpm -qa openssl\* and see what is listed there. If rpm -qi openssl reports a package installed where the Vendor field in the output is not "CentOS" then you have replaced your CentOS packages with third party ones and you need to either talk to that third party or replace those with the CentOS supplied ones.
If you want to know this stuff in the future, subscribe to the centos-announce mailing list and get the mails delivered straight to your inbox and know about this approximately 2 hours ago...
Edit: All packages are now built and synced to the CentOS mirror system so it should be a matter of running yum update to get up to date. The fixes are as follows:
For CentOS 6 you should have
openssl-1.0.1e-16.el6_5.14
openssl098e-0.9.8e-18.el6_5.2
For CentOS 5 you should have
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1
If you do not have those versions (or higher) installed or they do not appear on a yum update openssl\* then you should try yum clean metadata and repeat the update. If the update is still not available then check that you have any openssl packages installed by using rpm -qa openssl\* and see what is listed there. If rpm -qi openssl reports a package installed where the Vendor field in the output is not "CentOS" then you have replaced your CentOS packages with third party ones and you need to either talk to that third party or replace those with the CentOS supplied ones.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 2
- Joined: 2014/06/05 16:32:36
Re: OpenSSL vulnerability (CVE-2014-0224)
Thank you very much.
TrevorH wrote:The CentOS 6 packages are already available and should be on the mirrors now. If you do not see them then run yum clean metadata and retry the update. The CentOS 5 packages are taking a bit longer to build and will be available soon (for some definition of soon). As usual the version numbers stay the same and the minor numbers increment so do not look for 1.0.1h or 0.9.8za but for 1.0.1e-16.el6_5.14 and 0.9.8e-18.el6_5.2 on CentOS 6.
If you want to know this stuff in the future, subscribe to the centos-announce mailing list and get the mails delivered straight to your inbox and know about this approximately 2 hours ago... ;-)
-
- Posts: 2
- Joined: 2014/06/06 13:36:58
Re: OpenSSL vulnerability (CVE-2014-0224)
I'm using CentOS 5 with 0.9.8.
Is the repo update yet? If so, how can I check if I have the 'fixed' version???
Thank!
Is the repo update yet? If so, how can I check if I have the 'fixed' version???
Thank!
Last edited by flangelier on 2014/06/10 12:56:05, edited 1 time in total.
Re: OpenSSL vulnerability (CVE-2014-0224)
The updates are already pushed to their repository.
Re: OpenSSL vulnerability (CVE-2014-0224)
I have updated the second post of this thread with version numbers and information about how to tell if you have the patches available.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenSSL vulnerability (CVE-2014-0224)
The latest release from OpenSSL is 0.9.8za but the latest I can find in Centos 5 repos is 0.9.8e. Is this the matching RPM or can we expect a new RPM matching the official OpenSSL version number (letters)?
Re: OpenSSL vulnerability (CVE-2014-0224)
I have updated the second post in this thread with the relevant version numbers...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: OpenSSL vulnerability (CVE-2014-0224)
Fantastic, thanks for all the info!
Re: OpenSSL vulnerability (CVE-2014-0224)
Hi,
I have problem with this path...
I'm using CentOS 6.5 and my first update of openssl was made 2014.06.06. Yesterday my friend send me link with tool to test vulnerability http://www.tripwire.com/state-of-securi ... ctTest.zip
When I tested my service with mentioned script it turned out that vulnerability still exists on this particular host. Other hosts working on CentOS 6.5 are OK. I have no idea what is wrong with this one host...
Some info from OS:
And prove that this is still vulnerabe:
Have somebody any suggestions?
I have problem with this path...
I'm using CentOS 6.5 and my first update of openssl was made 2014.06.06. Yesterday my friend send me link with tool to test vulnerability http://www.tripwire.com/state-of-securi ... ctTest.zip
When I tested my service with mentioned script it turned out that vulnerability still exists on this particular host. Other hosts working on CentOS 6.5 are OK. I have no idea what is wrong with this one host...
Some info from OS:
Code: Select all
rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CentOS
Release : 16.el6_5.14 Build Date: czw, 5 cze 2014, 14:59:14
Install Date: wto, 10 cze 2014, 09:34:42 Build Host: c6b8.bsys.dev.centos.org
Group : System Environment/Libraries Source RPM: openssl-1.0.1e-16.el6_5.14.src.rpm
Size : 4209656 License: OpenSSL
Signature : RSA/SHA1, czw, 5 cze 2014, 15:02:17, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem <http://bugs.centos.org>
URL : http://www.openssl.org/
Summary : A general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
Code: Select all
$ python OSSL_CCS_InjectTest.py my.domain
***CVE-2014-0224 Detection Tool***
Brought to you by Tripwire VERT (@TripwireVERT)
[TLSv1.2] boscard.pl:443 allows early CCS
[TLSv1.1] boscard.pl:443 allows early CCS
[TLSv1] boscard.pl:443 allows early CCS
[SSLv3] boscard.pl:443 allows early CCS
***This System Exhibits Potentially Vulnerable Behavior***