The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Open SSL vulnerability

Discussion in 'General Discussion' started by equens, Mar 19, 2004.

  1. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
    Hello, How can I update the OPen SSL to 0.9.7d or 0.9.6m
     
  2. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
    Denial of Service flaws in 0.9.6l and 0.9.7c

    All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive are affected by this issue. If Cpanel only has 0.9.6b or 0.9.7a we have a problem!

    Recommendations
    ---------------
    Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications
    statically linked to OpenSSL libraries.

    More info: OpenSSL
     
  3. Dreamer

    Dreamer Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bulgaria
    But only if Red Hat's versioning was the same.
     
  4. BrightAdmin

    BrightAdmin Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    These are the steps which i followed to manually upgrade openssl:

    1) Download the openssl distribution from www.openssl.org.
    2) Untar the distribution using tar -zxvf
    3) Run
    ./config --prefix=/usr/local --openssldir=/usr/local/openssl
    guesses at your operating system and compiler automatically. Run ./config -t to see if it guessed correctly.
    OR
    ./Configure -- Manually configure openssl for your operating system.
    make
    make test
    make install

    Hope it may be helpful to you.

    Regards,

    Bright:)
     
  5. hyrum

    hyrum Member

    Joined:
    Nov 1, 2001
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Is there any official update from Cpanel coming soon?
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    The updates don't come from cpanel, cpanel just distributes them. You should be pointing the finger at your distributor, or those responsible for releasing the packages.
     
  7. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    actually I did update SSL from the openssl site a few days ago but WHM still says 0.96d, something I didnt do right?
     
  8. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Did you install from source? If so, source doesn't overright an installed rpm. WHM will only get the version number of the rpm. So if you still have the rpm installed its getting it from that.
     
  9. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    ah ok thanks, I need to remove the RPM first then :D
     
  10. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I'm on RH9 and up2date shows that there is an available update, but running /scripts/updatenow and /scripts/sysup does not update the software.
     
  11. Dreamer

    Dreamer Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bulgaria
  12. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    hmm may be im not doing it right, i removed it, re-compiled again and apache wouldnt start said it was missing lib.so.2 I think, started over and same thing again. I tried an RPM to upgrade, said I needed glib 2.3 I have 2.2 this is a 7.3 system seems I need this to update a bunch of stuff...but

    root [/]# openssl
    OpenSSL> version
    OpenSSL 0.9.7d 17 Mar 2004
    OpenSSL> quit
    root [/]#


    lol this is messed up
     
  13. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Well, cpanel support says everything's okay. When the cpanel version needs to be patched it will be.
     
  14. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    I had to change that config line some:

    ./config --prefix=/usr --openssldir=/usr/include/openssl

    And it seems to be working here.
     
  15. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Apparently,

    my server is hack because of openssl. I'm on openssl0.96b . The hacker install eggdrop, BNC in my /tmp folder and run them.

    I like to know how serious can this go to. Can this hacker delete other files on my server? Can he hijack my server?

    How can i fix this problem without restoring my server?
     
  16. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    The trouble im having now is that the new openssl doesnt seem to work with the config I have

    This
    './configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-kerberos' '--with-pspell' '--with-imap' '--with-imap-ssl' '--with-gettext' '--with-xml' '--with-dom' '--with-dom-xslt' '--with-dom-exslt=/usr/lib/exslt' '--with-fdftk' '--enable-bcmath' '--enable-calendar' '--with-curl' '--with-swf=/usr/local/flash' '--enable-ftp' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-ttf' '--with-freetype-dir' '--with-gd' '--enable-gd-native-ttf' '--enable-mbstring' '--enable-mbstr-enc-trans' '--enable-mbregex' '--with-mcrypt' '--with-ming=../ming-0.2a' '--enable-magic-quotes' '--with-mysql' '--with-pdflib' '--with-pear' '--enable-xslt' '--with-xslt-sablot=/usr' '--enable-sockets' '--enable-track-vars' '--enable-versioning' '--with-zlib' '--with-openssl' '--with-bz2' '--enable-dba' '--with-flatfile' '--with-db3' '--enable-dbase' '--enable-exif' '--enable-wddx' '--enable-trans-sid' '--with-mm' '--enable-dio' '--enable-sysvsem' '--with-zip' '--with-mhash'

    doesnt work

    The most basic
    './configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-xml' '--enable-bcmath' '--enable-calendar' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-mcrypt' '--enable-magic-quotes' '--with-mysql' '--enable-discard-path' '--with-pear' '--enable-sockets' '--enable-track-vars' '--with-ttf' '--with-freetype-dir=/usr' '--enable-gd-native-ttf' '--enable-versioning' '--with-zlib'

    does work.

    even more basic
    './configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-xml' '--enable-bcmath' '--enable-calendar' '--enable-ftp' '--enable-magic-quotes' '--with-mysql' '--with-pear' '--enable-sockets' '--enable-track-vars' '--enable-versioning' '--with-zlib'

    works

    It gets as far as Curl then says error configuration, and just errors out.. :(

    any suggestions?
     
    #16 DigiCrime, Apr 28, 2004
    Last edited: Apr 28, 2004
Loading...

Share This Page