I'm trying to check if I running the latest OpenSSL version, my main concern is the heartbleed bug.
I tried 2 commands:
openssl versionyum info openssl
openssl version output
OpenSSL 1.0.1e-fips 11 Feb 2013
yum info openssl output
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.14
...
I have a couple of questions:
The name of the RPM package is simply not the same as the version the software itself returns.
One of the reasons for that is Red Hat & CentOS backports security updates and bug fixes to the software version that was initially shipped. They take a fix for a security flaw out of the most recent version of an upstream software package i.e. openssl 1.0.1h and apply that fix to an older version of the package was distributed : i.e. openssl 1.0.1e. That policy is the reason for a patch level string in the package name in addition to the software version number.
The version output of the openssl version command remains unchanged 1.0.1e regardless of your actual patch level.
rpm -q --changelog openssl shows which updates the package maintainer has included in the version you have currently installed.
The most current version shows:
* Mon Jun 02 2014 Tom Mraz <tmraz redhat.com> 1.0.1e-16.14
- fix CVE-2010-5298 - possible use of memory after free
- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment
- fix CVE-2014-0198 - possible NULL pointer dereference
- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability
- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH
* Mon Apr 07 2014 Tom Mraz <tmraz redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
