-2

I am running a fedora 15 2.6.32-042stab081.3 x64, I have OpenSSL 1.0.0j-fips 10 May 2012 which I understand to not be infected.

However every test tool out there is reporting the site maybe vulnerable based on the age of the certificate. So while my system doesn't need to be patched for this, the mass hysteria and panic suggests I should update so users are not presented with the site maybe insecure. by these "check tools"

However yum update, is offering nothing. I can't see to find a newer rpm, so I'm at a loss of how to update openSSL? install from source?

Any advice or points would be a great help.

UPDATE ::: I have downloaded the source for openssl-1.0.1g and installed from source, however when running openssl version, it still reports the old version?

Shaun Forsyth
  • 160
  • 1
  • 4
  • 6
    Fedora 15 is [unsupported since 2012](https://fedoraproject.org/wiki/Releases/15?rd=Releases/15/Schedule) and has no place on an internet facing server. If you run Fedora, keep it up to date with a supported version. Also, if the certificates are expired, you need to create new ones. That is nothing `yum` can help you with. – Sven Apr 10 '14 at 09:33
  • @svW, That is not the most helpful comment. The certs have not expired and I didn't state that they have. I am aware of how to renew and update my certs. I just thought since I am going to have to revoke/renew them that I should update open SSL at the same time. – Shaun Forsyth Apr 10 '14 at 10:16
  • 2
    There is no reason to update your openssl as it is not affected by heartbleed. There is every reason to update your OS as having been unsupported for 2 years it likely contains other unpatched security vulnerabilities. – user9517 Apr 10 '14 at 10:34
  • 2
    @ShaunForsyth: I've inferred the expired certificate from the "age of the certificate" statement, which was apparently incorrect. Nevertheless, I repeat: Don't waste a minute on a non-issue when you have a complete server that needs to be update to a supported OS **now**. – Sven Apr 10 '14 at 10:46
  • @SvW thanks for your support on this, I would love to update to a newer version, but its a VPS and fedora seems to detect this (yum update is reporting something to do with this). I am worried that if I start updating the core (not that I know how.. but that is what google is for) that I will break either my install, or the VPS container. – Shaun Forsyth Apr 10 '14 at 11:10
  • 1
    You will have to make a backup anyway before upgrading. Unfortunately, it's quite possible to break your systems while doing the five required updates (15->16->17->18->19->20) before you end up with a current version. Due to the short support cycle of Fedora, it is really unsuitable for a server install and I recommend something like Ubuntu or CentOS instead. My plan would be to setup a second VPS with one of those systems and after you have configured this correctly, move the data over and turn off the old machine. – Sven Apr 10 '14 at 11:18
  • On security.se plenty of stuff about that problem, you may have to look it by *heartbleed* tag One of, probably useful answers, if you wish to check your server is [this](http://security.stackexchange.com/a/55193/43440) as example. There is a list of different checker tools and sites. [musalbas on github](https://github.com/musalbas/heartbleed-masstest) seems to work well. [there](http://serverfault.com/a/587916/214848) also good example, how you can check Is your server still vulnerable or not. – MolbOrg Apr 10 '14 at 10:33
  • @SvW Sorry I can't up vote your comment, as, even though it's a real pain, your last comment is the answer. I will move over to CentOS. Thank you – Shaun Forsyth Apr 10 '14 at 11:44
  • SvW, Fedora will generally allow you to jump two versions in a single upgrade, so he'd have to go 15->17->19->20. But it's still a fair few upgrades. – MadHatter Apr 10 '14 at 12:47
  • @ShaunForsyth: `but that is what google is for` - no that's what sysadmins are for. – user9517 Apr 10 '14 at 12:48
  • From F15 I'd just build a fresh new system. Upgrading was [usually a nightmare](https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum) before fedup was introduced in F18. And [_in certain situations_](http://serverfault.com/a/547456/126632) Fedora is fine for a server. – Michael Hampton Apr 10 '14 at 12:55

1 Answers1

1

While this should be a non-issue on Fedoras earlier than 18, my Fedora 17 happened to get detected by some vulnerability scanner. You shouldn't update your SSL version by hand, since it would make your another packages, like httpd stop working due to incorrect ABI.

What I did was rebuilding RPM packages without heartbeat support: $ yum groupinstall rpmdevtools $ yumdownloader --source openssl $ rpm -ivh ./openssl*.src.rpm $ nano ~/rpmbuild/SPECS/openssl.spec --- replace a line like: Release: 1%{?dist} --- with something like: Release: 1%(?dist}.heartbleed --- replace a line like: RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack" --- with something like: RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DOPENSSL_NO_HEARTBEATS" $ rpmbuild -ba ~/rpmbuild/SPECS/openssl.spec $ i386 rpmbuild -ba ~/rpmbuild/SPECS/openssl.spec # execute it only if on x86_64 $ rpm -Fvh ~/rpmbuild/RPMS/*/openssl*.rpm

czaks
  • 46
  • 3