1

When I go to run:

root@vps [~]# yum update -y openssl

I get:

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.beyondhosting.net
 * extras: centos.mirror.nac.net
 * updates: centos.netnitco.net
Setting up Update Process
No Packages marked for Update

And if I run:

root@vps [~]# yum info openssl

I get this, which is not the latest version of OpenSSL and is vulnerable to heartbleed:

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.beyondhosting.net
 * extras: centos.mirror.nac.net
 * updates: centos.netnitco.net
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 16.el6_5.7
Size        : 4.0 M
Repo        : installed
From repo   : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
            : between machines. OpenSSL includes a certificate management tool
            : and shared libraries which provide various cryptographic
            : algorithms and protocols.

Available Packages
Name        : openssl
Arch        : i686
Version     : 1.0.1e
Release     : 16.el6_5.7
Size        : 1.5 M
Repo        : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
            : between machines. OpenSSL includes a certificate management tool
            : and shared libraries which provide various cryptographic
            : algorithms and protocols.

Or is this version of 1.0.1e not vulnerable to heartbleed for some reason?

UKB
  • 113
  • 1
  • 1
  • 5
  • 1
    You gotta love back patching. It makes it nearly impossible to easily discover software versions. Its a practice of little to no benefit, and wastes a lot of time and man hours. –  Apr 09 '14 at 10:38
  • @noloader: Well, no. Completely wrong. I very much like the idea that I can be reasonably sure that my system continues to work after an update without too extensive testing, and I really appreciate the effort people put into backporting so that I don't have to spend all of my time testing new releases in my environment. – Sven Apr 09 '14 at 10:41
  • This (and many other posts and questions) indicate otherwise. The project and the distro provides the assurances, so you have them (as long as there's binary compatibility in the project). As for the broken version numbers, there's no benefit other than to confuse people and waste lots of man hours. *Q.v.:* OpenSSL 1.0.1e *is* vulnerable, yet someone is being told OpenSSL 1.0.1e (above) *is not* vulnerable. If its not vulnerable, then its not OpenSSL 1.0.1e. –  Apr 09 '14 at 10:49
  • @SvW - here's another fellow confused due to back patching: [OpenSLL 1.0.1 bug - have Ubuntu applied a fix or not?](https://stackoverflow.com/questions/22960470/opensll-1-0-1-bug-have-ubuntu-applied-a-fix-or-not). Its a useless, cursed practice of no benefit. And its not just this bug - its been going on for years. –  Apr 09 '14 at 11:02
  • Well, I understand how this works (difference between version and release) and how I can check fast and efficient which bugs are fixed or not. If you don't know this, learn it or come up with a better idea (stopping backports isn't one). – Sven Apr 09 '14 at 11:07
  • Thanks SvW. Fortunately I know too (for the most part). But here's another fellow who's not sure: [Is AWS, specifically the load balancer service affected by SSL “Heart Bleed” exploit?](https://stackoverflow.com/questions/22946010/is-aws-specifically-the-load-balancer-service-affected-by-ssl-heart-bleed-exp/22946334#22946334). Distros need to provide the latest binary compatible version so `program --version` just works. Like I said - its a useless practice with no benefits. –  Apr 09 '14 at 11:19
  • 1
    Here's another confused user: [brew link --force openssl did not update openssl version](http://stackoverflow.com/questions/22974590/brew-link-force-openssl-did-not-update-openssl-version). Back-patching and screwing with version numbers has got to be one of the dumbest security engineering decisions ever made. Its right up there with "lets use public information as a challenge question" to secure an account. –  Apr 09 '14 at 22:33

1 Answers1

3

16.el6_5.7 is the patched version with the fix (see the package info on the Scientific Linux site).

Sven
  • 97,248
  • 13
  • 177
  • 225
  • Can also check the change log with `rpm -q --changelog openssl | less` to see if the current package has a note about fixing the issue. – Brian May 24 '14 at 21:13