0

I am trying to upgrade the openssl version from 0.9.8w to 0.9.8 y to address the following security vulnerabilities CVE-2012-2333, CVE-2013-0166 , CVE-2013-0169.

While trying to upgrade I am facing following dependanices and any insight to this will be highly appreciated.

[root@CAM store]# openssl version
OpenSSL 0.9.8w 23 Apr 2012
[root@CAM store]# rpm -qa | grep openssl
openssl-0.9.8e-22.el5
openssl-0.9.8w-1
[root@CAM store]# rpm -Uvh openssl-0.9.8y-1.i386.rpm
error: Failed dependencies:
        libcrypto.so.6 is needed by (installed) m2crypto-0.16-8.el5.i386
        libcrypto.so.6 is needed by (installed) python-libs-2.4.3-46.el5.i386
        libcrypto.so.6 is needed by (installed) openldap-2.3.43-25.el5.i386
        libcrypto.so.6 is needed by (installed) net-snmp-libs-5.3.2.2-17.el5.i386
        libcrypto.so.6 is needed by (installed) postgresql-libs-8.1.23-1PGDG.rhel5.i386
        libcrypto.so.6 is needed by (installed) bind-libs-9.3.6-20.P1.el5.i386
        libcrypto.so.6 is needed by (installed) curl-7.15.5-15.el5.i386
        libcrypto.so.6 is needed by (installed) libnasl2-2.2.11-27.el5.i386
        libcrypto.so.6 is needed by (installed) nmap-4.11-2.i386
        libcrypto.so.6 is needed by (installed) wget-1.11.4-2.el5_4.1.i386
        libcrypto.so.6 is needed by (installed) nessus-server-2.2.11-27.el5.i386
        libcrypto.so.6 is needed by (installed) cyrus-sasl-2.1.22-5.el5_4.3.i386
        libcrypto.so.6 is needed by (installed) bind-utils-9.3.6-20.P1.el5.i386
        libcrypto.so.6 is needed by (installed) neon-0.25.5-10.el5_4.1.i386
        libcrypto.so.6 is needed by (installed) openldap-clients-2.3.43-25.el5.i386
        libcrypto.so.6 is needed by (installed) cyrus-sasl-md5-2.1.22-5.el5_4.3.i386
        libcrypto.so.6 is needed by (installed) stunnel-4.15-2.el5.1.i386
        libcrypto.so.6 is needed by (installed) distcache-1.4.5-14.1.i386
        libcrypto.so.6 is needed by (installed) tcpdump-3.9.4-15.el5.i386
        libcrypto.so.6 is needed by (installed) ntp-4.2.2p1-15.el5.centos.1.i386
        libcrypto.so.6 is needed by (installed) net-snmp-5.3.2.2-17.el5.i386
        libcrypto.so.6 is needed by (installed) fipscheck-1.2.0-1.el5.i386
        libcrypto.so.6 is needed by (installed) net-snmp-utils-5.3.2.2-17.el5.i386
        libcrypto.so.6 is needed by (installed) postgresql-8.1.23-1PGDG.rhel5.i386
        libcrypto.so.6 is needed by (installed) postgresql-server-8.1.23-1PGDG.rhel5.i386
        libcrypto.so.6 is needed by (installed) postgresql-contrib-8.1.23-1PGDG.rhel5.i386
        libcrypto.so.6 is needed by (installed) cavium-1.0-7.i386
        libssl.so.6 is needed by (installed) m2crypto-0.16-8.el5.i386
        libssl.so.6 is needed by (installed) python-libs-2.4.3-46.el5.i386
        libssl.so.6 is needed by (installed) openldap-2.3.43-25.el5.i386
        libssl.so.6 is needed by (installed) postgresql-libs-8.1.23-1PGDG.rhel5.i386
        libssl.so.6 is needed by (installed) curl-7.15.5-15.el5.i386
        libssl.so.6 is needed by (installed) libnasl2-2.2.11-27.el5.i386
        libssl.so.6 is needed by (installed) nmap-4.11-2.i386
        libssl.so.6 is needed by (installed) wget-1.11.4-2.el5_4.1.i386
        libssl.so.6 is needed by (installed) nessus-server-2.2.11-27.el5.i386
        libssl.so.6 is needed by (installed) neon-0.25.5-10.el5_4.1.i386
        libssl.so.6 is needed by (installed) quota-3.13-5.el5.i386
        libssl.so.6 is needed by (installed) openldap-clients-2.3.43-25.el5.i386
        libssl.so.6 is needed by (installed) stunnel-4.15-2.el5.1.i386
        libssl.so.6 is needed by (installed) distcache-1.4.5-14.1.i386
        libssl.so.6 is needed by (installed) postgresql-8.1.23-1PGDG.rhel5.i386
        libssl.so.6 is needed by (installed) postgresql-server-8.1.23-1PGDG.rhel5.i386
        libssl.so.6 is needed by (installed) postgresql-contrib-8.1.23-1PGDG.rhel5.i386

Thanks, Vetrichelvan.G

user9517
  • 114,104
  • 20
  • 206
  • 289
user220517
  • 1

1 Answers1

3

I don't know where you got that RPM from (since you don't tell us), but you have a problem already:

[root@CAM store]# rpm -qa | grep openssl
openssl-0.9.8e-22.el5
openssl-0.9.8w-1

Someone has brute-forced a second OpenSSL RPM onto your system, in addition to the RedHat-provided one, probably as an incorrect response to an earlier OpenSSL issue.

You don't need to upgrade the version of openssl to stay securely-patched. You need to get rid of weird non-distro versions, and keep up with Red Hat's patches to EL5 (as long as it's in support). That will mean that your version of openssl-0.9.8e will stay patched, and even though the OpenSSL version number won't change, the RPM version will.

You may find this answer sheds more light on the way Red Hat backport patches to fix vulnerabilities, instead of constantly bumping application version numbers.

Community
  • 1
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • I hadn't done the upgrade of openssl version from 0.9.8e - 0.9.8w also I have created openssl 0.9.8y rpm by using it's source and spec file. Are you saying there might be issues with the 0.9.8e - 0.9.8w upgrade itself also can I address the mentioned vulnerabilities as a patch in versions 0.9.8e or 0.9.8w – user220517 May 21 '14 at 07:13
  • I'm saying that you need to understand why the 0.9.8w version is there at all, and if it's not a really good reason, rip it out - and make sure the RH version is properly back in place. Then, simply doing a `yum update` should take the RH version of 0.9.8e to a suitably-patched one. – MadHatter May 21 '14 at 07:17