Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

It's time to update your OpenSSL libraries AGAIN
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

It's time to update your OpenSSL libraries AGAIN

rds100rds100 Member
in General

So... as the title says.
More info here - http://www.openssl.org/news/secadv_20140605.txt

Thanked by 1switsys

Comments

  • zionvpszionvps Member

    seems like updates did not hit centos repo yet. time to do mannual installation

  • gbshousegbshouse Member, Host Rep

    Good that we use PolarSSL instead ....

  • AnthonySmithAnthonySmith Member, Patron Provider

    Servers
    are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1

    the last update on cent brought it up to 1.0.1e-fips wonder if that is also vulnerable.

  • alexvolkalexvolk Member

    @gbshouse said:
    Good that we use PolarSSL instead ....

    Not popular != not vulnerable.

    Thanked by 1Infinity
  • rds100rds100 Member

    debian wheezy did have an update, and it's 1.0.1e-something.

  • blackblack Member

    @rds100 said:
    debian wheezy did have an update, and it's 1.0.1e-something.

    1.0.1e-2+deb7u10

  • AnthonySmithAnthonySmith Member, Patron Provider

    from what I can see your only likely to be vulnerable to this if you did not update during heartbleed.

    Thanked by 3Maounique geekalot Infinity
  • MaouniqueMaounique Host Rep, Veteran

    @AnthonySmith said:
    from what I can see your only likely to be vulnerable to this if you did not update during heartbleed.

    Also, it is a rather complicated setup which involves a lot of conditions. Sure, upgrade is needed, but very far from HB huge impact.

    Thanked by 1jar
  • rds100rds100 Member
    edited June 2014 


    
To: [email protected]
    
Subject: [CentOS-announce] CESA-2014:0625 Important CentOS 6 openssl Update

CentOS Errata and Security Advisory 2014:0625 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0625.html

The following updated files have been uploaded and are currently 
    
syncing to the mirrors: ( sha256sum Filename )

i386:
    
3ad06a284d64b200cc39d15152cb4bca571040d500b2384859298c9b56326877
    
openssl-1.0.1e-16.el6_5.14.i686.rpm
    
022af3211b1eac37da65a1fba3987394c3772bf88b3fbc02a5b5d654040cbd5a
    
openssl-devel-1.0.1e-16.el6_5.14.i686.rpm
    
41bfb05683299268a7f2f58cd60c1e22d300dd034109feb598045b7fd2f08db9
    
openssl-static-1.0.1e-16.el6_5.14.i686.rpm

x86_64:
    
3ad06a284d64b200cc39d15152cb4bca571040d500b2384859298c9b56326877
    
openssl-1.0.1e-16.el6_5.14.i686.rpm
    
414c27d70eeaac128eb7367472913cd5c4a6e62866e2226b18cab36a7fec3247
    
openssl-1.0.1e-16.el6_5.14.x86_64.rpm
    
022af3211b1eac37da65a1fba3987394c3772bf88b3fbc02a5b5d654040cbd5a
    
openssl-devel-1.0.1e-16.el6_5.14.i686.rpm
    
060234549bfdc54830b055f51fb732c7210e33e70ea5aa1075c0d9e7504af54a
    
openssl-devel-1.0.1e-16.el6_5.14.x86_64.rpm
    
5481b3acd593f2704943openssl-perl-1.0.1e-16.el6_5.14.x86_64.rpm
    
1f56277882bcf56df3c17f8c4bfc017c677fafe142100aca3385d2d6b9d48815
    
openssl-static-1.0.1e-16.el6_5.14.x86_64.rpm
    
b39d8738ea98f8fcdc1e5d479ce3fa28175c9d4020c6

Source:
    
5e60e75d09db8bde7a5db4f8d3abfa00574a2c739ac4b29d6c8b9c1129b6a11b
    
openssl-1.0.1e-16.el6_5.14.src.rpm

    edit: it's now in at least some mirrors.

  • lelewkulelewku Member

    what do you mean AGAIN?...update is a very normal thing to do daily weekly monthly etc etc..dont tell me you are going to create a thread to update your antivirus AGAIN..

  • nerouxneroux Member

    @lelewku said:
    what do you mean AGAIN?...update is a very normal thing to do daily weekly monthly etc etc..dont tell me you are going to create a thread to update your antivirus AGAIN..

    Agreed, however there is nonetheless a difference between a regular update and the frenzy a few weeks ago.

  • MaouniqueMaounique Host Rep, Veteran

    He tries to make the point openssl is insecure. I am not sure this is because it is insecure by design or the code is poorly written, or only by chance, after the hb bug people started to look closer maybe, it might be like with solus.

  • CharlesACharlesA Member

    Thanks. Debian had the updated version, but like always, it doesn't like to restart the affected services.

    rolls eyes

  • LicensecartLicensecart Member
    edited June 2014

    Centos has updated guys.

    Version : 1.0.1e

    >

    Release : 16.el6_5.14

  • vedranvedran Veteran

    Maounique said: I am not sure this is because it is insecure by design or the code is poorly written, or only by chance

    NSA backdoors

    Thanked by 2Licensecart TheHackBox
  • petrispetris Member

    @vedran said:
    NSA backdoors

    Or aliens.

  • jarjar Patron Provider, Top Host, Veteran
    edited June 2014

    @Maounique said:
    Also, it is a rather complicated setup which involves a lot of conditions. Sure, upgrade is needed, but very far from HB huge impact.

    Yeah that was my take on it. I saw the alert this morning and then read over some of the report. Don't think I'll be losing sleep over this one. If the first sign to you that something is wrong is the indication that a man in the middle attack is an active reality for you, and you need an OpenSSL error to tell you that, you probably aren't having a good day on average. Then again maybe the exploit adds more desire for people who actually are in the middle (read: shady providers) to perform MITM attacks I don't know. My mind just floats more toward virus infected local systems.

Sign In or Register to comment.