Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hello Experts, My product is using centos 5.8 and I am trying to upgrade openssl version from 0.9.8w to 0.9.8y to address the following security vulnerabilities CVE-2012-2333, CVE-2013-0166 , CVE-2013-0169. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2014
    Posts
    14

    openssl upgrade from 0.9.8x to 0.9.8y to address security vulnerabilit


    Hello Experts,

    My product is using centos 5.8 and I am trying to upgrade openssl version from 0.9.8w to 0.9.8y to address the following security vulnerabilities CVE-2012-2333, CVE-2013-0166 , CVE-2013-0169.

    While trying to upgrade I am facing following dependanices and any insight to this will be highly appreciated.

    [root-M1 store]# openssl version
    OpenSSL 0.9.8w 23 Apr 2012

    [root-M1 store]# rpm -qa | grep openssl
    openssl-0.9.8e-22.el5
    openssl-0.9.8w-1

    [root-M1 store]# rpm -Uvh openssl-0.9.8y-1.i386.rpm
    error: Failed dependencies:
    libcrypto.so.6 is needed by (installed) m2crypto-0.16-8.el5.i386
    libcrypto.so.6 is needed by (installed) python-libs-2.4.3-46.el5.i386
    libcrypto.so.6 is needed by (installed) openldap-2.3.43-25.el5.i386
    libcrypto.so.6 is needed by (installed) net-snmp-libs-5.3.2.2-17.el5.i386
    libcrypto.so.6 is needed by (installed) postgresql-libs-8.1.23-1PGDG.rhel5.i386
    libcrypto.so.6 is needed by (installed) bind-libs-9.3.6-20.P1.el5.i386
    libcrypto.so.6 is needed by (installed) curl-7.15.5-15.el5.i386
    libcrypto.so.6 is needed by (installed) libnasl2-2.2.11-27.el5.i386
    libcrypto.so.6 is needed by (installed) nmap-4.11-2.i386
    libcrypto.so.6 is needed by (installed) wget-1.11.4-2.el5_4.1.i386
    libcrypto.so.6 is needed by (installed) nessus-server-2.2.11-27.el5.i386
    libcrypto.so.6 is needed by (installed) cyrus-sasl-2.1.22-5.el5_4.3.i386
    libcrypto.so.6 is needed by (installed) bind-utils-9.3.6-20.P1.el5.i386
    libcrypto.so.6 is needed by (installed) neon-0.25.5-10.el5_4.1.i386
    libcrypto.so.6 is needed by (installed) openldap-clients-2.3.43-25.el5.i386
    libcrypto.so.6 is needed by (installed) cyrus-sasl-md5-2.1.22-5.el5_4.3.i386
    libcrypto.so.6 is needed by (installed) stunnel-4.15-2.el5.1.i386
    libcrypto.so.6 is needed by (installed) distcache-1.4.5-14.1.i386
    libcrypto.so.6 is needed by (installed) tcpdump-3.9.4-15.el5.i386
    libcrypto.so.6 is needed by (installed) ntp-4.2.2p1-15.el5.centos.1.i386
    libcrypto.so.6 is needed by (installed) net-snmp-5.3.2.2-17.el5.i386
    libcrypto.so.6 is needed by (installed) fipscheck-1.2.0-1.el5.i386
    libcrypto.so.6 is needed by (installed) net-snmp-utils-5.3.2.2-17.el5.i386
    libcrypto.so.6 is needed by (installed) postgresql-8.1.23-1PGDG.rhel5.i386
    libcrypto.so.6 is needed by (installed) postgresql-server-8.1.23-1PGDG.rhel5.i386
    libcrypto.so.6 is needed by (installed) postgresql-contrib-8.1.23-1PGDG.rhel5.i386
    libcrypto.so.6 is needed by (installed) cavium-1.0-7.i386
    libssl.so.6 is needed by (installed) m2crypto-0.16-8.el5.i386
    libssl.so.6 is needed by (installed) python-libs-2.4.3-46.el5.i386
    libssl.so.6 is needed by (installed) openldap-2.3.43-25.el5.i386
    libssl.so.6 is needed by (installed) postgresql-libs-8.1.23-1PGDG.rhel5.i386
    libssl.so.6 is needed by (installed) curl-7.15.5-15.el5.i386
    libssl.so.6 is needed by (installed) libnasl2-2.2.11-27.el5.i386
    libssl.so.6 is needed by (installed) nmap-4.11-2.i386
    libssl.so.6 is needed by (installed) wget-1.11.4-2.el5_4.1.i386
    libssl.so.6 is needed by (installed) nessus-server-2.2.11-27.el5.i386
    libssl.so.6 is needed by (installed) neon-0.25.5-10.el5_4.1.i386
    libssl.so.6 is needed by (installed) quota-3.13-5.el5.i386
    libssl.so.6 is needed by (installed) openldap-clients-2.3.43-25.el5.i386
    libssl.so.6 is needed by (installed) stunnel-4.15-2.el5.1.i386
    libssl.so.6 is needed by (installed) distcache-1.4.5-14.1.i386
    libssl.so.6 is needed by (installed) postgresql-8.1.23-1PGDG.rhel5.i386
    libssl.so.6 is needed by (installed) postgresql-server-8.1.23-1PGDG.rhel5.i386
    libssl.so.6 is needed by (installed) postgresql-contrib-8.1.23-1PGDG.rhel5.i386

    I have created openssl 0.9.8y rpm by using it's source.

    Any input on this will be really helpful

    Thanks,
    Vetri.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    Hi and welcome,

    There is no need to build your own openssl rpm.
    In fact I would advise against it, because
    - redhat maintain their own patches
    -and quite a lot of services depend on openssl, which may potentially break with a random openssl version.

    There are two issues
    1) You want the CVE addressed
    2) package dependency problems

    About 1)
    The CVEs are old and already addressed.
    See:
    https://access.redhat.com/security/cve/CVE-2013-0169
    https://access.redhat.com/security/cve/CVE-2012-2333
    https://access.redhat.com/security/cve/CVE-2013-0166


    redhat released the openssl security updates on 2012-05-29 / 2013-03-04
    https://rhn.redhat.com/errata/RHSA-2012-0699.html
    https://rhn.redhat.com/errata/RHSA-2013-0587.html

    You will notice, that the fixed versions still have the "e"
    openssl-0.9.8e-22.el5_8.4.i386.rpm
    openssl-0.9.8e-26.el5_9.1.i386.rpm

    This is because redhat backports fixes and keeps a stable version/feature set.

    So to address vulnerabbilities, just update your system with the default repositories.

    Which brings us to 2)
    - Use default repositories
    - Use yum to resolve dependencies and download packages
    And it will work magically.

    Btw, the latest version is openssl-0.9.8e-27.el5_10.1.i386.rpm
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    May 2014
    Posts
    14
    Since We are already in openssl version 0.9.8w is there any other ways to resolve those vulnerabilities in 0.9.8w itself by applying any patches.
    Reverting back to openssl 0.9.8e is not approved by management.

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    Then management is wrong and misinformed.

    How is this management' s call to decide this purely technical issue?
    Or would you as a tech guy (I assume) decide in business issues?

    Again:
    With the default repository you dont revert to 0.9.8e
    You install a supported, patched and backported version of 0.9.8e.
    A version that was tested by redhat together with all the apps and tools that depend on it.
    You must always face the curtain with a bow.

  6. #5
    Just Joined!
    Join Date
    May 2014
    Posts
    14
    Thanks Irithori.

    Whether only the 0.9.8e version in 0.9.8 series backported with all the security fixes by red-hat.

  7. #6
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    Yes.
    Redhat provides a feature and version frozen environment.
    Which is valueable as a basis especially in conjunction with commercial applications and tools.
    Security patches are provided by backports.

    In other words: openssl in redhat5 will stay at 0.9.8e but still be secure.
    Please read the links I provided in my first reply to see for yourself.
    You must always face the curtain with a bow.

  8. #7
    Just Joined!
    Join Date
    Aug 2012
    Posts
    5
    Hi Irithori,

    Where can i get the fix details for the vulnerabilities CVE-2012-2333, CVE-2013-0166 , CVE-2013-0169.

    I searched in the internet but I am not able to find out.

    Please help me on this.

  9. #8
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    ..are you serious?

    You read the links I showed earlier, right?
    https://access.redhat.com/security/cve/CVE-2013-0169
    https://access.redhat.com/security/cve/CVE-2012-2333
    https://access.redhat.com/security/cve/CVE-2013-0166

    They provide links to MITRE CVE dictionary and NIST NVD.
    They provide links to the fixed version for each redhat product, e.g. https://rhn.redhat.com/errata/RHSA-2013-0587.html
    The same example link I already also showed earlier.
    On that page you see -again- a description of the bug and links to bugzilla which contains discussions on the issue.

    With the source rpms before and after the bugfix release, you could see what redhat actually applied.


    Besides: google searches for CVE-* provide useful links.
    It is hard to believe that you couldnt find anything.
    Last edited by Irithori; 05-28-2014 at 01:20 PM.
    You must always face the curtain with a bow.

  10. #9
    Just Joined!
    Join Date
    Aug 2012
    Posts
    5
    Sorry if my wording's have confused

    As I mentioned earlier we are running openssl version 0.9.8w and my management is asking me to compile the source again with the code fixes of those vulnerabilities as patches in the source.

    I have got code changes for the vulnerabilities from the net,howevee to double confirm this I need the exact code diff b/w openssl version's 0.9.8x and 0.9.8y(since these vulnerabilities are fixed in 0.9.8x and 0.9.8y) for these vulnerabilities.

    I am not sure whether can I take the code diff for the vulnerabilities in the redhat backport version openssl-0.9.8e-26.el5_9.1 and openssl-0.9.8e-22.el5_8.4

    Note:moving to openssl-0.9.8e-26.el5_9.1 version is not possible for us since we already in 0.9.8w

    Looking for your reply

  11. #10
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,412
    In my opinion, recompiling 0.9.8w and adding your own patches for a redhat OS is flat out wrong.
    I explained the technical reasons in this thread and also your "tar" thread.

    On top of that, being your own package provider uses resources.
    Development time, testing, providing the infrastructure, etc etc.
    So also from a business perspective your approach is questionable.

    You know my opinion by now.
    - Scrap that 0.9.8w and go back to the default redhat package.
    - If you cannot do that because of a missing redhat subscription, then migrate to centos

    It is of course your decision to go for the patch approach.
    However, I cannot and will not help you on this way.
    You must always face the curtain with a bow.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •