Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> "heartbleed" OpenSSL Vulnerability
edmundedgar
 Posted: Apr 8 2014, 07:48 AM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 3056
Joined: 8-April 14









So it looks like CentOS have fixes out for "heartbleed" openssl breakage.

Questions:

1) Am I right in assuming we need to upgrade, including quite old versions? For example, my SL 6.1 box shows:

CODE
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


2) Any ETA on updated packages for Scientific Linux?

3) If they're going to be a while (like more than a couple of hours) can we use the equivalent-looking CentOS packages in the mean time, or will that blow something up?
PM
^
John Cuppi
 Posted: Apr 8 2014, 09:30 AM
Quote Post


SLF Admin Team
***

Group: Admins
Posts: 143
Member No.: 15
Joined: 10-April 11









I literally came here just to make this topic myself.

Yes, we need to upgrade.

QUOTE
The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS (such as the BEAST).


So the point released that was first shipped with RHEL 6 is vulnerable.

I'm sure you can expect a fix for this very, very soon.
PMUsers Website
^
patriehecky
 Posted: Apr 8 2014, 02:24 PM
Quote Post


SL Developer
***

Group: Moderators
Posts: 87
Member No.: 837
Joined: 14-September 11









QUOTE (Jcink @ Apr 8 2014, 03:30 AM)

I'm sure you can expect a fix for this very, very soon.


Yep, it is in the repos now.

--------------------
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/
The best way to get my attention is over the official lists.
PM
^
krachbumm
 Posted: Apr 8 2014, 02:29 PM
Quote Post


SLF Member
***

Group: Members
Posts: 66
Member No.: 1961
Joined: 15-October 12









thanks Pat/sl-devs.

http://th166.photobucket.com/albums/u117/rdshear/Smiley%20Faces/th_smiley-face-thumbs-up.gif
PM
^
eliotk
 Posted: Apr 8 2014, 06:09 PM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 3057
Joined: 8-April 14









Thanks for patching the package!

So, it looks like the version stays the same it's just backported w/ the patch?

Once we update our yum caches, `yum reinstall openssl` should install the patched version? That doesn't seem to working on my end...

Thank you,
Eliot
PMEmail Poster
^
tux99
 Posted: Apr 8 2014, 09:20 PM
Quote Post


SLF Moderator
********

Group: Moderators
Posts: 1273
Member No.: 224
Joined: 28-May 11









QUOTE (eliotk @ Apr 8 2014, 07:09 PM)

Once we update our yum caches, `yum reinstall openssl` should install the patched version? That doesn't seem to working on my end...


Use:
yum update openssl

--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
John Cuppi
 Posted: Apr 9 2014, 02:01 AM
Quote Post


SLF Admin Team
***

Group: Admins
Posts: 143
Member No.: 15
Joined: 10-April 11









QUOTE (krachbumm @ Apr 8 2014, 10:29 AM)
thanks Pat/sl-devs.

http://th166.photobucket.com/albums/u117/rdshear/Smiley%20Faces/th_smiley-face-thumbs-up.gif

Yes, thank you. Updated this morning.
PMUsers Website
^
voteblake
 Posted: Apr 9 2014, 02:47 PM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 3059
Joined: 9-April 14









The output of
CODE
yum check-update
and
CODE
yum update openssl
do not indicate the availability of a patched package on the i686 architecture for SL 6.5.

I appreciate the efforts of the maintainers to make updates available and am wondering if there is a timeline for this architecture.
PM
^
tux99
 Posted: Apr 9 2014, 03:14 PM
Quote Post


SLF Moderator
********

Group: Moderators
Posts: 1273
Member No.: 224
Joined: 28-May 11









QUOTE (voteblake @ Apr 9 2014, 03:47 PM)
The output of
CODE
yum check-update
and
CODE
yum update openssl
do not indicate the availability of a patched package on the i686 architecture for SL 6.5.


The i686 package has been available since yesterday just like the x64 one:
ftp://ftp.scientificlinux.org/linux/scientific/6.5/i386/updates/security/openssl-1.0.1e-16.el6_5.7.i686.rpm

Maybe clean your cache?

yum clean all

Or do you have autoupdate enabled and it got updated automatically without your knowledge already?

--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
giu8888
 Posted: Apr 10 2014, 06:56 AM
Quote Post


SLF Newbie


Group: Members
Posts: 3
Member No.: 3060
Joined: 10-April 14









Hi, I have installed SLC6 on my machine on Monday and I am running
[root@giuoff ~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Apr 7 23:06:03 CDT 2014
platform: linux-x86_64

but when I try to update it tells me there is no update available

[root@giuoff ~]# yum update openssl
Plugin "refresh-packagekit" can't be imported
Loaded plugins: security
Setting up Update Process
No Packages marked for Update

BUT I KNOW THERE IS A NEW VERSION!
I have downloaded, openssl1.0.1.g !!
How can I install it such that it will substitute the old one ?
I built it as root but the system still see the old one...

Can you help ?
thanks
giulia
PM
^
giu8888
 Posted: Apr 10 2014, 07:17 AM
Quote Post


SLF Newbie


Group: Members
Posts: 3
Member No.: 3060
Joined: 10-April 14









Hi, I have managed to run the update and got the following pdates

[root@giuoff ~]# yum update openssl
Plugin "refresh-packagekit" can't be imported
Loaded plugins: security
sl | 3.6 kB 00:00
sl/primary_db | 4.1 MB 00:21
sl-security | 3.0 kB 00:00
sl-security/primary_db | 1.9 MB 00:09
sl6x | 3.6 kB 00:00
sl6x/primary_db | 4.1 MB 00:21
sl6x-security | 3.0 kB 00:00
sl6x-security/primary_db | 1.9 MB 00:09
Setting up Update Process

BUT the version of openssl is still the same
[root@giuoff ~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Apr 7 23:06:03 CDT 2014
platform: linux-x86_64

AM I SAFE NOW ?
thanks a lot for any help
cheers
giulia
PM
^
tux99
 Posted: Apr 10 2014, 08:08 AM
Quote Post


SLF Moderator
********

Group: Moderators
Posts: 1273
Member No.: 224
Joined: 28-May 11









You need to look at the package version, not at the openssl version. This is a back-ported bug fix so the openssl version hasn't changed.

type:
rpm -qa | grep openssl

The package should be openssl-1.0.1e-16.el6_5.7 as mentioned previously in this thread.

--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
giu8888
 Posted: Apr 10 2014, 08:37 AM
Quote Post


SLF Newbie


Group: Members
Posts: 3
Member No.: 3060
Joined: 10-April 14









Hi,
yes it is :

rpm -qa| grep -i openssl
openssl-1.0.1e-16.el6_5.7.x86_64
pyOpenSSL-0.10-2.el6.x86_64


So everything is fine?
Many thanks for your help
Giulia
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll