2

After the heartbleed bug i have updated my openssl to 1.0.1g. But to my shock when today i see my server-status it shows me openssl version 1.0.1e that was vulnerable to Heartbleed. I have upgraded my openssl through rpm. When i have upgraded i have checked with command openssl version. It gives me output as "OpenSSL 1.0.1g 7 Apr 2014" i.e i have successfully updated the rpm. But when i check with following rpm command rpm -q openssl. It shows me output as "openssl-1.0.1e-16.el6_5.4.x86_64". Also i have used rpm info openssl it gives same 1.0.1e version of openssl How to solve this issue. so that my site is not vulnerable to Heartbleed.

user9517
  • 114,104
  • 20
  • 206
  • 289
Huzefa
  • 65
  • 4
  • 13
  • 1
    Exactly what did you do? – Michael Hampton May 20 '14 at 06:00
  • 3
    You are aware of Red Hat's policy of [backporting](https://access.redhat.com/site/security/updates/backporting/) which CentOS follows as well? "_Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not_" – HBruijn May 20 '14 at 06:14
  • See http://serverfault.com/questions/535606/is-there-a-big-difference-between-centos-6-4-to-6-2-and-should-i-up-down-grade/535615#535615 for a slightly longer explanation if you're not. – MadHatter May 20 '14 at 07:25

2 Answers2

4

RedHat backported the Heartbleed fix to OpenSSL 1.0.1e. The OpenSSL package that contains the CVE-2014-0160 fix is openssl-1.0.1e-16.el6_5.7.x86_64. As mentioned elsewhere you can double check that with the rpm -q --changelog openssl command - the change is dated 7th April 2014.

If you've attempted to install 1.0.1g on the server, you have done so outside the standard CentOS yum update process, as RedHat (and thus CentOS) doesn't have an official 1.0.1g version.

nobody
  • 190
  • 8
mykel
  • 141
  • 2
  • Hi mykel, I also need to update to OpenSSL 1.0.1g, for other reasons not related to heartbleed. I'm on CentOS 6.5 and there is no yum update available. Would you mind showing how to update if possible with a package and not source – Anagio Jun 03 '14 at 22:51
3

rpm -q --changelog should show a fix for CVE-2014-0160 - information disclosure in TLS heartbeat extension once you've upgraded successfully.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Yes, i have checked with rpm -q openssl --changelog command. It gives below output $rpm -q openssl --changelog * Tue Jan 07 2014 Tomáš Mráz 1.0.1e-16.4 - fix CVE-2013-4353 - Invalid TLS handshake crash * Mon Jan 06 2014 Tomáš Mráz 1.0.1e-16.3 - fix CVE-2013-6450 - possible MiTM attack on DTLS1 – Huzefa May 20 '14 at 07:33
  • It shows latest patch date of openssl "Jan 07 2014". Does it means that server is already updated. I dont have to do anythind. – Huzefa May 20 '14 at 07:33
  • That means it is not the latest version, the update for CVE-2014-0160 was on April 7th. – HBruijn May 20 '14 at 07:36
  • I have updated it from "http://www.openssl.org/source/openssl-1.0.1g.tar.gz" but it is showing me "openssl-1.0.1e-16.el6_5.4.x86_64" – Huzefa May 23 '14 at 06:03
  • But here version should be "openssl-1.0.1e-16.el6_5.7.x86_64". Also it is showing me old version when i use rpm -q --changelog openssl command. – Huzefa May 23 '14 at 06:05
  • * Tue Jan 07 2014 Tomáš Mráz 1.0.1e-16.4 - fix CVE-2013-4353 - Invalid TLS handshake crash * Mon Jan 06 2014 Tomáš Mráz 1.0.1e-16.3 - fix CVE-2013-6450 - possible MiTM attack on DTLS1 * Fri Dec 20 2013 Tomáš Mráz 1.0.1e-16.2 - fix CVE-2013-6449 - crash when version in SSL structure is incorrect * Thu Dec 12 2013 Tomáš Mráz 1.0.1e-16.1 - add back some no-op symbols that were inadvertently dropped – Huzefa May 23 '14 at 06:06
  • So how to upgrade my openssl to proper – Huzefa May 23 '14 at 06:07
  • * Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension – Huzefa May 23 '14 at 06:07
  • as @mykel mentioned upgrading from source is contrary to using the package management tools and will most likely not fix the vulnerability. Read MadHatter's link; that explains that by using CentOS 6 update 2 what you have is CentOS 6 which has not had any patches applied since 2011. Trying to now fix a single vulnerability and not applying the 100's of other updates released since then is not going to solve any security issues. You could try to manually `rpm -Uhv http://mirror.centos.org/centos/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.7.i686.rpm` but good luck with dependencies. – HBruijn May 23 '14 at 07:46