OpenSSL vulnerability (CVE-2014-0224)

Comments, suggestions, compliments, etc
JetPackDillon
Posts: 2
Joined: 2014/06/05 16:32:36

OpenSSL vulnerability (CVE-2014-0224)

Post by JetPackDillon » 2014/06/05 16:40:53

When can we expect updated packages for OpenSSL (i.e. 0.9.8za, 1.0.0m, 1.0.1h) to be available from yum?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/06/05 18:34:26

The CentOS 6 packages are already available and should be on the mirrors now. If you do not see them then run yum clean metadata and retry the update. The CentOS 5 packages are taking a bit longer to build and will be available soon (for some definition of soon). As usual the version numbers stay the same and the minor numbers increment so do not look for 1.0.1h or 0.9.8za but for 1.0.1e-16.el6_5.14 and 0.9.8e-18.el6_5.2 on CentOS 6.

If you want to know this stuff in the future, subscribe to the centos-announce mailing list and get the mails delivered straight to your inbox and know about this approximately 2 hours ago... ;-)

Edit: All packages are now built and synced to the CentOS mirror system so it should be a matter of running yum update to get up to date. The fixes are as follows:


For CentOS 6 you should have
openssl-1.0.1e-16.el6_5.14
openssl098e-0.9.8e-18.el6_5.2

For CentOS 5 you should have
openssl-0.9.8e-27.el5_10.3
openssl097a-0.9.7a-12.el5_10.1


If you do not have those versions (or higher) installed or they do not appear on a yum update openssl\* then you should try yum clean metadata and repeat the update. If the update is still not available then check that you have any openssl packages installed by using rpm -qa openssl\* and see what is listed there. If rpm -qi openssl reports a package installed where the Vendor field in the output is not "CentOS" then you have replaced your CentOS packages with third party ones and you need to either talk to that third party or replace those with the CentOS supplied ones.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

JetPackDillon
Posts: 2
Joined: 2014/06/05 16:32:36

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by JetPackDillon » 2014/06/05 18:38:22

Thank you very much.
TrevorH wrote:The CentOS 6 packages are already available and should be on the mirrors now. If you do not see them then run yum clean metadata and retry the update. The CentOS 5 packages are taking a bit longer to build and will be available soon (for some definition of soon). As usual the version numbers stay the same and the minor numbers increment so do not look for 1.0.1h or 0.9.8za but for 1.0.1e-16.el6_5.14 and 0.9.8e-18.el6_5.2 on CentOS 6.

If you want to know this stuff in the future, subscribe to the centos-announce mailing list and get the mails delivered straight to your inbox and know about this approximately 2 hours ago... ;-)

flangelier
Posts: 2
Joined: 2014/06/06 13:36:58

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by flangelier » 2014/06/06 13:39:58

I'm using CentOS 5 with 0.9.8.

Is the repo update yet? If so, how can I check if I have the 'fixed' version???

Thank!
Last edited by flangelier on 2014/06/10 12:56:05, edited 1 time in total.

mirage
Posts: 1
Joined: 2014/06/06 13:40:09

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by mirage » 2014/06/06 13:44:15

The updates are already pushed to their repository.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/06/06 14:05:21

I have updated the second post of this thread with version numbers and information about how to tell if you have the patches available.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

housed
Posts: 2
Joined: 2014/06/06 19:06:12

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by housed » 2014/06/09 11:49:25

The latest release from OpenSSL is 0.9.8za but the latest I can find in Centos 5 repos is 0.9.8e. Is this the matching RPM or can we expect a new RPM matching the official OpenSSL version number (letters)?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by TrevorH » 2014/06/09 12:31:31

I have updated the second post in this thread with the relevant version numbers...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

housed
Posts: 2
Joined: 2014/06/06 19:06:12

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by housed » 2014/06/09 12:36:37

Fantastic, thanks for all the info!

boscard
Posts: 1
Joined: 2014/06/10 07:42:09

Re: OpenSSL vulnerability (CVE-2014-0224)

Post by boscard » 2014/06/10 07:57:54

Hi,
I have problem with this path...
I'm using CentOS 6.5 and my first update of openssl was made 2014.06.06. Yesterday my friend send me link with tool to test vulnerability http://www.tripwire.com/state-of-securi ... ctTest.zip
When I tested my service with mentioned script it turned out that vulnerability still exists on this particular host. Other hosts working on CentOS 6.5 are OK. I have no idea what is wrong with this one host...
Some info from OS:

Code: Select all

rpm -qi openssl
Name        : openssl                      Relocations: (not relocatable)
Version     : 1.0.1e                            Vendor: CentOS
Release     : 16.el6_5.14                   Build Date: czw, 5 cze 2014, 14:59:14
Install Date: wto, 10 cze 2014, 09:34:42       Build Host: c6b8.bsys.dev.centos.org
Group       : System Environment/Libraries   Source RPM: openssl-1.0.1e-16.el6_5.14.src.rpm
Size        : 4209656                          License: OpenSSL
Signature   : RSA/SHA1, czw, 5 cze 2014, 15:02:17, Key ID 0946fca2c105b9de
Packager    : CentOS BuildSystem <http://bugs.centos.org>
URL         : http://www.openssl.org/
Summary     : A general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
And prove that this is still vulnerabe:

Code: Select all

$ python OSSL_CCS_InjectTest.py my.domain
***CVE-2014-0224 Detection Tool***
Brought to you by Tripwire VERT (@TripwireVERT)
[TLSv1.2] boscard.pl:443 allows early CCS
[TLSv1.1] boscard.pl:443 allows early CCS
[TLSv1] boscard.pl:443 allows early CCS
[SSLv3] boscard.pl:443 allows early CCS
***This System Exhibits Potentially Vulnerable Behavior***
Have somebody any suggestions?

Post Reply