LinkBack URL
About LinkBackshttp://www.openssl.org/news/secadv_20060905.txt
http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-4339
What about OpenSSL used on cPanel servers? This is a really serious threat so please respond!
OpenSSL Security Advisory [5th September 2006]
http://www.openssl.org/news/secadv_20060905.txt
http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-4339
What about OpenSSL used on cPanel servers? This is a really serious threat so please respond!
Last edited by Domenico; 09-08-2006 at 05:30 AM.
█ Webhostingtalk.nl :: For all your Dutch (AMS-IX - Amsterdam) and European hosting quotes
█ The best and only hosting forum you need in Europe
█ You can ask your quotes and questions in English!
This is just simply uncomprehendable, even after updating OpenSSL to the latest version (manually compiling) cPanel still tries to undo the changes. Look what happens when I recompile apache:
---
Warning !! openssl-devel has been modified... reinstalling....Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package openssl-devel.i586 0:0.9.7a-43.10 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
openssl-devel i586 0.9.7a-43.10 base 1.6 M
---
What the **************** is this? What kind of repo is CentOS using here...? The 2003 openssl version came straight out of Redhat 9, so this is just great.
Well I'm able to skip the openssl updating process by adding it to the exclude list in /etc/yum.conf, but still, it's rediculous that everybody is still using some ancient version by default...
submit it as bug request to cpanel so they can update theirs
UK Managed Hosting and Linux support
The information given above is intended to be advice only.
Really, you can login as root to someones box easily so cPanel guys, please fix asap.
█ Webhostingtalk.nl :: For all your Dutch (AMS-IX - Amsterdam) and European hosting quotes
█ The best and only hosting forum you need in Europe
█ You can ask your quotes and questions in English!
Hi Domenico,
I've read about this subject too on the Dutch WHT (I've another nick there).
Have you personally tried to "hack" into your own cPanel server without using a root password ? I believe cPanel is using an altered version of OpenSSL.
Regards.
On Red Hat distributions like Fedora, CentOS or Red Hat Enterprise the OpenSSL version number is not correct. That is because Red Hat is using a custom version of OpenSSL. Eventhough it appears to be old and insecure it is a new and safe version. If you update it manually you will **************** things up and you may break dependencies. Red Hat doesn`t like custom versions of OpenSSL at all. For example after I did update OpenSSL manually attampts to update Apache failed completely. I had to copy the openssl file from another Red Hat server and add it to the new server. So I think/hope you can forget about OpenSSL not beeing safe. It is just because Red Hat distributions are using their own version of OpenSSL with an incorrent old version number as far as I understand it.
Last edited by driverC; 09-08-2006 at 01:41 PM.
I don't think this has anything to with CPanel, openssl is updated by the OS.
I tried to update openssl with yum to openssl-0.9.7a-43.11 (the latest version it seems) on CentOS 4.3 and 4.4, but it says it has nothing to update.
We know this has nothing to do with cPanel but all of our cPanel boxes have the same 'old' version;
openssl version
OpenSSL 0.9.7a Feb 19 2003
Upgrading to the latest version has no use since the daily cPanel update proces puts the old version back.
Can someone from the cPanel team please react? Nick?
█ Webhostingtalk.nl :: For all your Dutch (AMS-IX - Amsterdam) and European hosting quotes
█ The best and only hosting forum you need in Europe
█ You can ask your quotes and questions in English!
Originally Posted by Domenico
The best way is to open a support ticket.
Why using 'openssl version' to determine your version is pointless has already been pointed out in this thread by driverC
You could try this to see which version you have installed:
You can check for which platforms CentOS has released openssl-0.9.7a-43.11 here:Code:root@host [~]# rpm -qa openssl openssl-0.9.7a-43.10
http://lists.centos.org/pipermail/ce...er/thread.html
Open /etc/yum.conf and add "OpenSSL*" to the exclude list. Then manually compile the new openssl version and you're good to go.
Wel nothing is corrupted here:
# openssl version
OpenSSL 0.9.8c 05 Sep 2006
# rpm -qa | grep openssl
openssl-0.9.7a-43.10
43.10, what the hell is that supposed to mean. How am I supposed to know how the patchlevel reflects vulnerability?
By reading the release info maybe and looking at the release date? I gave you a link to the centos archive, all the info you need is there. Ofcourse if you prefer to manually compile and update all your software then you're free to do so...
You want my ip so you can show me how it's done?
Reply With Quote