CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Support for security such as Firewalls and securing linux
Post Reply
aavijay
Posts: 1
Joined: 2016/03/18 08:22:01

CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by aavijay » 2016/03/18 08:24:58

Needed some clarity on the fixes for the above CVEs.

Redhat portal states that openssl-1.0.1e-42.el6_7.4.x86_64.rpm is the fixed version for CVE-2016-0705. Centos repo has been updated as well. However there is no clarity over CVE-2016-0799 and CVE-2016-2842. Does openssl-1.0.1e-42.el6_7.4.x86_64.rpm also fix CVE-2016-0799 and CVE-2016-2842 ?

Thanks

Vijay

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842

Post by TrevorH » 2016/03/18 09:29:31

The only information that there is is contained in the following links:

https://access.redhat.com/security/cve/CVE-2016-0799
https://bugzilla.redhat.com/show_bug.cgi?id=1312219
https://bugzilla.redhat.com/show_bug.cg ... -2016-2842

If it's fixed in RHEL and they have released it then it should also be fixed in CentOS.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

RobotPat
Posts: 2
Joined: 2016/05/06 15:19:06

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by RobotPat » 2016/05/06 15:24:31

I'd also like to get confirmation on CVE-2016-0799. I need more evidence than "it should be in there".
When I look in the rpm changelogs, I want to see this CVE in there. Until then, I have to conclude this
CVE-2016-0799 is not in openssl-1.0.1e-42.el6_7.4.x86_64.rpm. Here is the top of the changlog:

$ rpm -qp openssl-1.0.1e-42.el6_7.4.x86_64.rpm --changelog | head
...
* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method
...

Thanks!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by TrevorH » 2016/05/06 15:30:59

Unfortunately you will need to ask Redhat about that since they are the ones that make the source packages available and only they know the status of the CVE's in question. CentOS just rebuild what comes out of Redhat - there is no independent coding nor inspection nor validation of what Redhat provide for RHEL users. The links I previously posted are all the information that any of us have to go on.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

RobotPat
Posts: 2
Joined: 2016/05/06 15:19:06

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by RobotPat » 2016/05/06 16:26:42

Ok, thanks!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by TrevorH » 2016/05/10 13:13:20

Redhat have just published a security errata https://rhn.redhat.com/errata/RHSA-2016-0996.html that says that it fixes these and the latest openssl vulnerabilities as well. Unfortunately they have as yet to publish the actual SRPM files to allow the fixed versions to be rebuilt but hopefully they'll do that soon. Since RHEL 6.8 was just released upstream and this fixed package is part of that, it may take a little longer than normal to get the fixed versions out though I believe they will be made available for 6.7 and we won't have to wait for 6.8 itself.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

jamesh
Posts: 1
Joined: 2016/05/11 22:07:00

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by jamesh » 2016/05/11 22:16:44

US has uploaded their SRPM to http://ftp.redhat.com/redhat/linux/ente ... .1.src.rpm

I've rebuilt it and installed the resulting rpms on my Centos 6.7 systems, they seem to work as expected. The source contains a test cert that expired on 5/10, so the rebuild failed during tests... What I ended up doing is:

date -s 'last week'
rpmbuild --rebuild openssl-1.0.1e-48.el6_8.1.src.rpm
date -s 'next week'

I have no idea what the holdup is for Centos binary rpms.

User avatar
centminmod
Posts: 44
Joined: 2014/07/12 14:28:06
Location: Brisbane, Australia
Contact:

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by centminmod » 2016/05/14 18:49:35

jamesh wrote:US has uploaded their SRPM to http://ftp.redhat.com/redhat/linux/ente ... .1.src.rpm

I've rebuilt it and installed the resulting rpms on my Centos 6.7 systems, they seem to work as expected. The source contains a test cert that expired on 5/10, so the rebuild failed during tests... What I ended up doing is:

date -s 'last week'
rpmbuild --rebuild openssl-1.0.1e-48.el6_8.1.src.rpm
date -s 'next week'

I have no idea what the holdup is for Centos binary rpms.
thanks @jamesh for the tip/workaround - works fine here too :)

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: CVE-2016-0705 CVE-2016-0799 and CVE-2016-2842 (openssl)

Post by avij » 2016/05/17 06:34:50

The fixed openssl package for CentOS 6 is now available via the Continuous Release repository. That repository has all the updates scheduled for 6.8, apart from a few packages (such as anaconda and centos-release) that will still need to be modified prior to final 6.8 release.

As for the holdup, RH released the updated openssl as part of RHEL 6.8. Johnny Hughes describes the CentOS process.

Post Reply