OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

bouvrie · Apr 8, 2014

Mod Note -
Official Response by the cPanel Security Team has been posted to the cPanel Blog:

Heartbleed Vulnerability Information - cPanel Blog

[HR][/HR]

Hi everyone. Any news on when OpenSSL 1.0.1g will be made available / pushed for us? Current version is 1.0.1e and that version is vulnerable to the OpenSSL Heartbleed bug.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Source. Test for vulnerability here.

What is being leaked?
Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories:

primary key material,
secondary key material and
protected content and
collateral.

What is leaked primary key material and how to recover?
These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?
These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

What is leaked protected content and how to recover?
This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

What is leaked collateral and how to recover?
Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.

ThinIce · Apr 8, 2014

Looks like there is a CentOS / Redhat release of a patched version https://rhn.redhat.com/errata/RHSA-2014-0376.html

Does anyone know if it's necessary to actually rebuild apache, or is a restart sufficient?

Edit: am aware of the note below, but as we aren't using the os provided httpd

For the update to take
effect, all services linked to the OpenSSL library (such as httpd and other
SSL-enabled services) must be restarted or the system rebooted.

serlex · Apr 8, 2014

Any way to reset cpanel certificates via SSH? this is a problem when resetting over 1k servers

semseoymas · Apr 8, 2014

With WHM 11.42.0 (build 19) in my case, it seems WHM/cpanel need to be fixed...

Test your server for Heartbleed (CVE-2014-0160)

Just test your server using :port

I do not know what to say about apache/nginx listening at 443... updated libssl with yum, and restarted, but Apache already vulnerable. If compiling again would fix?

There is not a quick solution instead of needing to recompile apache at every machine?

Thanks.

bouvrie · Apr 8, 2014

On WHM 11.42.0 (build 23) HTTPS (SSL) is vulnerable on port :443. WHM port :2087 is also vulnerable.

jacobcolton · Apr 8, 2014

Yum updates don't seem to be fixing it, just recompiling at the moment seems to resolve it.

bouvrie · Apr 8, 2014

Please be so kind to publish how to recompile.

ThinIce · Apr 8, 2014

bouvrie said:
Please be so kind to publish how to recompile.

From what I can see, with regards cPanel itself on CentOS or RHEL, yum update to install the updated packages, then restart all affected services linked to openssl or if you aren't sure, reboot.

Others have said above that apache needs to be recompiled, in the absence of a post from cPanel, do that as normal through easyapache after you have the new package.

EDIT - recompile of apache shouldn't be necessary, but a complete restart (i.e. a full stop of all apache processes) will be necessary - graceful restart not enough

What you do after that is just as interesting. This according to the write up has been a potential for exploitation for a while and successful exploitation would leave no log trace. As such it seems a fair bit of regenerating of keys / ssl certs and then changing any details (like passwords) they have protected may be appropriate. It seems we might have a bit of a rabbit hole job :p

jerrybell · Apr 8, 2014

Re: OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

The issue is that CentOS, at least with the repos that Cpanel uses, does not yet contain the updates library. Yum update finds nothing to update.

This bug is turning out to be quite bad. There are demonstrations where usernames and plaintext passwords are being pulled off of web servers. Once updated, it might be a good idea to reset passwords in addition to certs.

Hopefully updated libraries will be pushed out for centos soon.

- - - Updated - - -

As it turns out, an OpenSSL update was automatically applied last night. It looks like the 1.01e lib was just recompiled (probably with heartbeat disabled). I was thrown off because the vulnerable version number was appearing, however looking at the files for OpenSSL clearly shows it was updated. When I restarted apache, it was no longer vulnerable.

Infopro · Apr 8, 2014

WHM » Software » Update System Software

Code:

checkyum version 21.1
Loaded plugins: fastestmirror, rhnplugin, security
Loading mirror speeds from cached hostfile
 * cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package krb5-devel.x86_64 0:1.10.3-10.el6_4.6 will be updated
---> Package krb5-devel.x86_64 0:1.10.3-15.el6_5.1 will be an update
---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be updated
---> Package krb5-libs.x86_64 0:1.10.3-15.el6_5.1 will be an update
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.4 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.4 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package        Arch    Version               Repository                   Size
================================================================================
Updating:
 krb5-devel     x86_64  1.10.3-15.el6_5.1     cloudlinux-x86_64-server-6  494 k
 krb5-libs      x86_64  1.10.3-15.el6_5.1     cloudlinux-x86_64-server-6  760 k
 openssl        x86_64  1.0.1e-16.el6_5.7     cloudlinux-x86_64-server-6  1.5 M
 openssl-devel  x86_64  1.0.1e-16.el6_5.7     cloudlinux-x86_64-server-6  1.2 M

Transaction Summary
================================================================================
Upgrade       4 Package(s)

Total download size: 3.9 M
Downloading Packages:
--------------------------------------------------------------------------------
Total                                           1.8 MB/s | 3.9 MB     00:02     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction

  Updating   : krb5-libs-1.10.3-15.el6_5.1.x86_64                           1/8 

  Updating   : openssl-1.0.1e-16.el6_5.7.x86_64                             2/8 

  Updating   : krb5-devel-1.10.3-15.el6_5.1.x86_64                          3/8 

  Updating   : openssl-devel-1.0.1e-16.el6_5.7.x86_64                       4/8 

  Cleanup    : openssl-devel-1.0.1e-16.el6_5.4.x86_64                       5/8 

  Cleanup    : krb5-devel-1.10.3-10.el6_4.6.x86_64                          6/8 

  Cleanup    : openssl-1.0.1e-16.el6_5.4.x86_64                             7/8 

  Cleanup    : krb5-libs-1.10.3-10.el6_4.6.x86_64                           8/8 

  Verifying  : openssl-devel-1.0.1e-16.el6_5.7.x86_64                       1/8 

  Verifying  : krb5-libs-1.10.3-15.el6_5.1.x86_64                           2/8 

  Verifying  : openssl-1.0.1e-16.el6_5.7.x86_64                             3/8 

  Verifying  : krb5-devel-1.10.3-15.el6_5.1.x86_64                          4/8 

  Verifying  : openssl-1.0.1e-16.el6_5.4.x86_64                             5/8 

  Verifying  : openssl-devel-1.0.1e-16.el6_5.4.x86_64                       6/8 

  Verifying  : krb5-libs-1.10.3-10.el6_4.6.x86_64                           7/8 

  Verifying  : krb5-devel-1.10.3-10.el6_4.6.x86_64                          8/8 

Updated:
  krb5-devel.x86_64 0:1.10.3-15.el6_5.1                                         
  krb5-libs.x86_64 0:1.10.3-15.el6_5.1                                          
  openssl.x86_64 0:1.0.1e-16.el6_5.7                                            
  openssl-devel.x86_64 0:1.0.1e-16.el6_5.7                                      

Complete!
checkyum version 21.1

bouvrie · Apr 8, 2014

How about your WHM SSL port ( 2087 ) - that one is still vulnerable, the tester reports...

jerrybell · Apr 8, 2014

I had to restart cpanel, but once I did, all the cpanel ports show not vulnerable.

Guile · Apr 8, 2014

WHM » Software » Update System Software only showed the following:

checkyum version 21.1
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirrors.advancedhosters.com
* extras: mirror.cogentco.com
* rpmforge: mirror.teklinks.com
* updates: bay.uchicago.edu
Setting up Update Process
No Packages marked for Update
checkyum version 21.1

mahinder · Apr 8, 2014

Yes, After rebooting the server, services are not shown as vulnerable. Restart the service or just reboot the server.

Jorel · Apr 8, 2014

Infopro said:
WHM » Software » Update System Software

Code:

checkyum version 21.1
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.atwab.net
 * extras: less.cogeco.net
 * updates: www.cubiculestudio.com
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package atk.x86_64 0:1.28.0-2.el6 will be updated
---> Package atk.x86_64 0:1.30.0-1.el6 will be an update
---> Package bash.x86_64 0:4.1.2-14.el6 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be an update
---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
---> Package bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
---> Package bind-devel.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
---> Package bind-devel.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
---> Package bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
---> Package bind-libs.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
---> Package bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated
---> Package bind-utils.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update
---> Package ca-certificates.noarch 0:2010.63-3.el6_1.5 will be updated
---> Package ca-certificates.noarch 0:2013.1.95-65.1.el6_5 will be an update
--> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2013.1.95-65.1.el6_5.noarch
--> Processing Dependency: p11-kit >= 0.18.4-2 for package: ca-certificates-2013.1.95-65.1.el6_5.noarch
---> Package centos-release.x86_64 0:6-4.el6.centos.10 will be updated
---> Package centos-release.x86_64 0:6-5.el6.centos.11.2 will be an update
---> Package chkconfig.x86_64 0:1.3.49.3-2.el6 will be updated
---> Package chkconfig.x86_64 0:1.3.49.3-2.el6_4.1 will be an update
---> Package coreutils.x86_64 0:8.4-31.el6 will be updated
---> Package coreutils.x86_64 0:8.4-31.el6_5.1 will be an update
---> Package coreutils-libs.x86_64 0:8.4-31.el6 will be updated
---> Package coreutils-libs.x86_64 0:8.4-31.el6_5.1 will be an update
---> Package cronie.x86_64 0:1.4.4-7.el6 will be updated
---> Package cronie.x86_64 0:1.4.4-12.el6 will be an update
---> Package cronie-anacron.x86_64 0:1.4.4-7.el6 will be updated
---> Package cronie-anacron.x86_64 0:1.4.4-12.el6 will be an update
---> Package cups-libs.x86_64 1:1.4.2-50.el6_4.4 will be updated
---> Package cups-libs.x86_64 1:1.4.2-50.el6_4.5 will be an update
---> Package curl.x86_64 0:7.19.7-35.el6 will be updated
---> Package curl.x86_64 0:7.19.7-37.el6_4 will be an update
---> Package cvs.x86_64 0:1.11.23-15.el6 will be updated
---> Package cvs.x86_64 0:1.11.23-16.el6 will be an update
---> Package db4.x86_64 0:4.7.25-17.el6 will be updated
---> Package db4.x86_64 0:4.7.25-18.el6_4 will be an update
---> Package db4-cxx.x86_64 0:4.7.25-17.el6 will be updated
---> Package db4-cxx.x86_64 0:4.7.25-18.el6_4 will be an update
---> Package db4-devel.x86_64 0:4.7.25-17.el6 will be updated
---> Package db4-devel.x86_64 0:4.7.25-18.el6_4 will be an update
---> Package db4-utils.x86_64 0:4.7.25-17.el6 will be updated
---> Package db4-utils.x86_64 0:4.7.25-18.el6_4 will be an update
---> Package device-mapper.x86_64 0:1.02.77-9.el6 will be updated
---> Package device-mapper.x86_64 0:1.02.79-8.el6 will be an update
---> Package device-mapper-event.x86_64 0:1.02.77-9.el6 will be updated
---> Package device-mapper-event.x86_64 0:1.02.79-8.el6 will be an update
---> Package device-mapper-event-libs.x86_64 0:1.02.77-9.el6 will be updated
---> Package device-mapper-event-libs.x86_64 0:1.02.79-8.el6 will be an update
---> Package device-mapper-libs.x86_64 0:1.02.77-9.el6 will be updated
---> Package device-mapper-libs.x86_64 0:1.02.79-8.el6 will be an update
---> Package device-mapper-persistent-data.x86_64 0:0.1.4-1.el6 will be updated
---> Package device-mapper-persistent-data.x86_64 0:0.2.8-2.el6 will be an update
---> Package dhclient.x86_64 12:4.1.1-34.P1.el6.centos will be updated
---> Package dhclient.x86_64 12:4.1.1-38.P1.el6.centos will be an update
---> Package dhcp-common.x86_64 12:4.1.1-34.P1.el6.centos will be updated
---> Package dhcp-common.x86_64 12:4.1.1-38.P1.el6.centos will be an update
---> Package dmidecode.x86_64 1:2.11-2.el6 will be updated
---> Package dmidecode.x86_64 1:2.12-5.el6_5 will be an update
---> Package efibootmgr.x86_64 0:0.5.4-10.el6 will be updated
---> Package efibootmgr.x86_64 0:0.5.4-11.el6 will be an update
---> Package ethtool.x86_64 2:3.5-1.el6 will be updated
---> Package ethtool.x86_64 2:3.5-1.2.el6_5 will be an update
---> Package expect.x86_64 0:5.44.1.15-4.el6 will be updated
---> Package expect.x86_64 0:5.44.1.15-5.el6_4 will be an update
---> Package ftp.x86_64 0:0.17-53.el6 will be updated
---> Package ftp.x86_64 0:0.17-54.el6 will be an update
---> Package ghostscript.x86_64 0:8.70-15.el6_4.1 will be updated
---> Package ghostscript.x86_64 0:8.70-19.el6 will be an update
---> Package glib2.x86_64 0:2.22.5-7.el6 will be updated
---> Package glib2.x86_64 0:2.26.1-7.el6_5 will be an update
--> Processing Dependency: shared-mime-info for package: glib2-2.26.1-7.el6_5.x86_64
---> Package gnupg2.x86_64 0:2.0.14-4.el6 will be updated
---> Package gnupg2.x86_64 0:2.0.14-6.el6_4 will be an update
---> Package gnutls.x86_64 0:2.8.5-10.el6_4.1 will be updated
---> Package gnutls.x86_64 0:2.8.5-13.el6_5 will be an update
---> Package grep.x86_64 0:2.6.3-3.el6 will be updated
---> Package grep.x86_64 0:2.6.3-4.el6_5.1 will be an update
---> Package grub.x86_64 1:0.97-81.el6 will be updated
---> Package grub.x86_64 1:0.97-83.el6 will be an update
---> Package grubby.x86_64 0:7.0.15-3.el6 will be updated
---> Package grubby.x86_64 0:7.0.15-5.el6 will be an update
---> Package gtk2.x86_64 0:2.18.9-12.el6 will be updated
---> Package gtk2.x86_64 0:2.20.1-4.el6 will be an update
---> Package gzip.x86_64 0:1.3.12-18.el6 will be updated
---> Package gzip.x86_64 0:1.3.12-19.el6_4 will be an update
---> Package hwdata.noarch 0:0.233-7.9.el6 will be updated
---> Package hwdata.noarch 0:0.233-9.1.el6 will be an update
---> Package initscripts.x86_64 0:9.03.38-1.el6.centos.1 will be updated
---> Package initscripts.x86_64 0:9.03.40-2.el6.centos.1 will be an update
---> Package iproute.x86_64 0:2.6.32-23.el6 will be updated
---> Package iproute.x86_64 0:2.6.32-31.el6 will be an update
---> Package iptables.x86_64 0:1.4.7-9.el6 will be updated
---> Package iptables.x86_64 0:1.4.7-11.el6 will be an update
---> Package iptables-ipv6.x86_64 0:1.4.7-9.el6 will be updated
---> Package iptables-ipv6.x86_64 0:1.4.7-11.el6 will be an update
---> Package iputils.x86_64 0:20071127-16.el6 will be updated
---> Package iputils.x86_64 0:20071127-17.el6_4.2 will be an update
---> Package irqbalance.x86_64 2:1.0.4-3.el6 will be updated
---> Package irqbalance.x86_64 2:1.0.4-8.el6_5 will be an update
--> Processing Dependency: kernel >= 2.6.32-358.2.1 for package: 2:irqbalance-1.0.4-8.el6_5.x86_64
---> Package iw.x86_64 0:0.9.17-4.el6 will be updated
---> Package iw.x86_64 0:3.10-1.1.el6 will be an update
---> Package kernel-headers.x86_64 0:2.6.32-358.2.1.el6 will be updated
---> Package kernel-headers.x86_64 0:2.6.32-431.11.2.el6 will be an update
---> Package krb5-devel.x86_64 0:1.10.3-10.el6_4.6 will be updated
---> Package krb5-devel.x86_64 0:1.10.3-15.el6_5.1 will be an update
---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be updated
---> Package krb5-libs.x86_64 0:1.10.3-15.el6_5.1 will be an update
---> Package libXcursor.x86_64 0:1.1.13-2.el6 will be updated
---> Package libXcursor.x86_64 0:1.1.13-6.20130524git8f677eaea.el6 will be an update
---> Package libXfont.x86_64 0:1.4.5-2.el6 will be updated
---> Package libXfont.x86_64 0:1.4.5-3.el6_5 will be an update
---> Package libblkid.x86_64 0:2.17.2-12.9.el6 will be updated
---> Package libblkid.x86_64 0:2.17.2-12.14.el6 will be an update
---> Package libcgroup.x86_64 0:0.37-7.1.el6 will be updated
---> Package libcgroup.x86_64 0:0.40.rc1-5.el6_5.1 will be an update
---> Package libcurl.x86_64 0:7.19.7-35.el6 will be updated
---> Package libcurl.x86_64 0:7.19.7-37.el6_4 will be an update
---> Package libgcj.x86_64 0:4.4.7-3.el6 will be updated
---> Package libgcj.x86_64 0:4.4.7-4.el6 will be an update
---> Package libgcrypt.x86_64 0:1.4.5-9.el6_2.2 will be updated
---> Package libgcrypt.x86_64 0:1.4.5-11.el6_4 will be an update
---> Package libnl.x86_64 0:1.1-14.el6 will be updated
---> Package libnl.x86_64 0:1.1.4-2.el6 will be an update
---> Package libpcap.x86_64 14:1.0.0-6.20091201git117cb5.el6 will be updated
---> Package libpcap.x86_64 14:1.4.0-1.20130826git2dbcaa1.el6 will be an update
---> Package libselinux.x86_64 0:2.0.94-5.3.el6 will be updated
---> Package libselinux.x86_64 0:2.0.94-5.3.el6_4.1 will be an update
---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6 will be updated
---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6_4.1 will be an update
---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6 will be updated
---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6_4.1 will be an update
---> Package libtiff.x86_64 0:3.9.4-9.el6_3 will be updated
---> Package libtiff.x86_64 0:3.9.4-10.el6_5 will be an update
---> Package libtiff-devel.x86_64 0:3.9.4-9.el6_3 will be updated
---> Package libtiff-devel.x86_64 0:3.9.4-10.el6_5 will be an update
---> Package libudev.x86_64 0:147-2.46.el6 will be updated
---> Package libudev.x86_64 0:147-2.51.el6 will be an update
---> Package libuuid.x86_64 0:2.17.2-12.9.el6 will be updated
---> Package libuuid.x86_64 0:2.17.2-12.14.el6 will be an update
---> Package libxml2.x86_64 0:2.7.6-12.el6_4.1 will be updated
---> Package libxml2.x86_64 0:2.7.6-14.el6 will be an update
---> Package libxml2-devel.x86_64 0:2.7.6-12.el6_4.1 will be updated
---> Package libxml2-devel.x86_64 0:2.7.6-14.el6 will be an update
---> Package logrotate.x86_64 0:3.7.8-16.el6 will be updated
---> Package logrotate.x86_64 0:3.7.8-17.el6 will be an update
---> Package lvm2.x86_64 0:2.02.98-9.el6 will be updated
---> Package lvm2.x86_64 0:2.02.100-8.el6 will be an update
---> Package lvm2-libs.x86_64 0:2.02.98-9.el6 will be updated
---> Package lvm2-libs.x86_64 0:2.02.100-8.el6 will be an update
---> Package mailx.x86_64 0:12.4-6.el6 will be updated
---> Package mailx.x86_64 0:12.4-7.el6 will be an update
---> Package man-pages-overrides.noarch 0:6.4.1-1.el6 will be updated
---> Package man-pages-overrides.noarch 0:6.5.3-1.el6_5 will be an update
---> Package mdadm.x86_64 0:3.2.5-4.el6 will be updated
---> Package mdadm.x86_64 0:3.2.6-7.el6 will be an update
---> Package module-init-tools.x86_64 0:3.9-21.el6 will be updated
---> Package module-init-tools.x86_64 0:3.9-21.el6_4 will be an update
---> Package net-snmp.x86_64 1:5.5-44.el6_4.4 will be updated
---> Package net-snmp.x86_64 1:5.5-49.el6_5.1 will be an update
---> Package net-snmp-devel.x86_64 1:5.5-44.el6_4.4 will be updated
---> Package net-snmp-devel.x86_64 1:5.5-49.el6_5.1 will be an update
---> Package net-snmp-libs.x86_64 1:5.5-44.el6_4.4 will be updated
---> Package net-snmp-libs.x86_64 1:5.5-49.el6_5.1 will be an update
---> Package net-snmp-utils.x86_64 1:5.5-44.el6_4.4 will be updated
---> Package net-snmp-utils.x86_64 1:5.5-49.el6_5.1 will be an update
---> Package nmap.x86_64 2:5.51-2.el6 will be updated
---> Package nmap.x86_64 2:5.51-3.el6 will be an update
---> Package nspr.x86_64 0:4.9.2-1.el6 will be updated
---> Package nspr.x86_64 0:4.10.2-1.el6_5 will be an update
---> Package nss.x86_64 0:3.14.0.0-12.el6 will be updated
---> Package nss.x86_64 0:3.15.3-6.el6_5 will be an update
---> Package nss-softokn.x86_64 0:3.12.9-11.el6 will be updated
---> Package nss-softokn.x86_64 0:3.14.3-9.el6 will be an update
---> Package nss-softokn-freebl.i686 0:3.12.9-11.el6 will be updated
---> Package nss-softokn-freebl.x86_64 0:3.12.9-11.el6 will be updated
---> Package nss-softokn-freebl.i686 0:3.14.3-9.el6 will be an update
---> Package nss-softokn-freebl.x86_64 0:3.14.3-9.el6 will be an update
---> Package nss-sysinit.x86_64 0:3.14.0.0-12.el6 will be updated
---> Package nss-sysinit.x86_64 0:3.15.3-6.el6_5 will be an update
---> Package nss-tools.x86_64 0:3.14.0.0-12.el6 will be updated
---> Package nss-tools.x86_64 0:3.15.3-6.el6_5 will be an update
---> Package nss-util.x86_64 0:3.14.0.0-2.el6 will be updated
---> Package nss-util.x86_64 0:3.15.3-1.el6_5 will be an update
---> Package ntpdate.x86_64 0:4.2.4p8-3.el6.centos will be updated
---> Package ntpdate.x86_64 0:4.2.6p5-1.el6.centos will be an update
---> Package ntsysv.x86_64 0:1.3.49.3-2.el6 will be updated
---> Package ntsysv.x86_64 0:1.3.49.3-2.el6_4.1 will be an update
---> Package numactl.x86_64 0:2.0.7-6.el6 will be updated
---> Package numactl.x86_64 0:2.0.7-8.el6 will be an update
---> Package openldap.x86_64 0:2.4.23-32.el6_4 will be updated
---> Package openldap.x86_64 0:2.4.23-34.el6_5.1 will be an update
---> Package openssh.x86_64 0:5.3p1-84.1.el6 will be updated
---> Package openssh.x86_64 0:5.3p1-94.el6 will be an update
---> Package openssh-clients.x86_64 0:5.3p1-84.1.el6 will be updated
---> Package openssh-clients.x86_64 0:5.3p1-94.el6 will be an update
---> Package openssh-server.x86_64 0:5.3p1-84.1.el6 will be updated
---> Package openssh-server.x86_64 0:5.3p1-94.el6 will be an update
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.1 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.1 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be an update
---> Package parted.x86_64 0:2.1-19.el6 will be updated
---> Package parted.x86_64 0:2.1-21.el6 will be an update
---> Package perl.x86_64 4:5.10.1-130.el6_4 will be updated
---> Package perl.x86_64 4:5.10.1-136.el6 will be an update
---> Package perl-Archive-Extract.x86_64 1:0.38-130.el6_4 will be updated
---> Package perl-Archive-Extract.x86_64 1:0.38-136.el6 will be an update
---> Package perl-Archive-Tar.x86_64 0:1.58-130.el6_4 will be updated
---> Package perl-Archive-Tar.x86_64 0:1.58-136.el6 will be an update
---> Package perl-CPAN.x86_64 0:1.9402-130.el6_4 will be updated
---> Package perl-CPAN.x86_64 0:1.9402-136.el6 will be an update
---> Package perl-CPANPLUS.x86_64 0:0.88-130.el6_4 will be updated
---> Package perl-CPANPLUS.x86_64 0:0.88-136.el6 will be an update
---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.020-130.el6_4 will be updated
---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.021-136.el6 will be an update
---> Package perl-Compress-Raw-Zlib.x86_64 1:2.020-130.el6_4 will be updated
---> Package perl-Compress-Raw-Zlib.x86_64 1:2.021-136.el6 will be an update
---> Package perl-Compress-Zlib.x86_64 0:2.020-130.el6_4 will be updated
---> Package perl-Compress-Zlib.x86_64 0:2.021-136.el6 will be an update
---> Package perl-Digest-SHA.x86_64 1:5.47-130.el6_4 will be updated
---> Package perl-Digest-SHA.x86_64 1:5.47-136.el6 will be an update
---> Package perl-ExtUtils-CBuilder.x86_64 1:0.27-130.el6_4 will be updated
---> Package perl-ExtUtils-CBuilder.x86_64 1:0.27-136.el6 will be an update
---> Package perl-ExtUtils-Embed.x86_64 0:1.28-130.el6_4 will be updated
---> Package perl-ExtUtils-Embed.x86_64 0:1.28-136.el6 will be an update
---> Package perl-ExtUtils-MakeMaker.x86_64 0:6.55-130.el6_4 will be updated
---> Package perl-ExtUtils-MakeMaker.x86_64 0:6.55-136.el6 will be an update
---> Package perl-ExtUtils-ParseXS.x86_64 1:2.2003.0-130.el6_4 will be updated
---> Package perl-ExtUtils-ParseXS.x86_64 1:2.2003.0-136.el6 will be an update
---> Package perl-File-Fetch.x86_64 0:0.26-130.el6_4 will be updated
---> Package perl-File-Fetch.x86_64 0:0.26-136.el6 will be an update
---> Package perl-IO-Compress-Base.x86_64 0:2.020-130.el6_4 will be updated
---> Package perl-IO-Compress-Base.x86_64 0:2.021-136.el6 will be an update
---> Package perl-IO-Compress-Bzip2.x86_64 0:2.020-130.el6_4 will be updated
---> Package perl-IO-Compress-Bzip2.x86_64 0:2.021-136.el6 will be an update
---> Package perl-IO-Compress-Zlib.x86_64 0:2.020-130.el6_4 will be updated
---> Package perl-IO-Compress-Zlib.x86_64 0:2.021-136.el6 will be an update
---> Package perl-IO-Zlib.x86_64 1:1.09-130.el6_4 will be updated
---> Package perl-IO-Zlib.x86_64 1:1.09-136.el6 will be an update
---> Package perl-IPC-Cmd.x86_64 1:0.56-130.el6_4 will be updated
---> Package perl-IPC-Cmd.x86_64 1:0.56-136.el6 will be an update
---> Package perl-Locale-Maketext-Simple.x86_64 1:0.18-130.el6_4 will be updated
---> Package perl-Locale-Maketext-Simple.x86_64 1:0.18-136.el6 will be an update
---> Package perl-Log-Message.x86_64 1:0.02-130.el6_4 will be updated
---> Package perl-Log-Message.x86_64 1:0.02-136.el6 will be an update
---> Package perl-Log-Message-Simple.x86_64 0:0.04-130.el6_4 will be updated
---> Package perl-Log-Message-Simple.x86_64 0:0.04-136.el6 will be an update
---> Package perl-Module-Build.x86_64 1:0.3500-130.el6_4 will be updated
---> Package perl-Module-Build.x86_64 1:0.3500-136.el6 will be an update
---> Package perl-Module-CoreList.x86_64 0:2.18-130.el6_4 will be updated
---> Package perl-Module-CoreList.x86_64 0:2.18-136.el6 will be an update
---> Package perl-Module-Load.x86_64 1:0.16-130.el6_4 will be updated
---> Package perl-Module-Load.x86_64 1:0.16-136.el6 will be an update
---> Package perl-Module-Load-Conditional.x86_64 0:0.30-130.el6_4 will be updated
---> Package perl-Module-Load-Conditional.x86_64 0:0.30-136.el6 will be an update
---> Package perl-Module-Loaded.x86_64 1:0.02-130.el6_4 will be updated
---> Package perl-Module-Loaded.x86_64 1:0.02-136.el6 will be an update
---> Package perl-Module-Pluggable.x86_64 1:3.90-130.el6_4 will be updated
---> Package perl-Module-Pluggable.x86_64 1:3.90-136.el6 will be an update
---> Package perl-Object-Accessor.x86_64 1:0.34-130.el6_4 will be updated
---> Package perl-Object-Accessor.x86_64 1:0.34-136.el6 will be an update
---> Package perl-Package-Constants.x86_64 1:0.02-130.el6_4 will be updated
---> Package perl-Package-Constants.x86_64 1:0.02-136.el6 will be an update
---> Package perl-Params-Check.x86_64 1:0.26-130.el6_4 will be updated
---> Package perl-Params-Check.x86_64 1:0.26-136.el6 will be an update
---> Package perl-Parse-CPAN-Meta.x86_64 1:1.40-130.el6_4 will be updated
---> Package perl-Parse-CPAN-Meta.x86_64 1:1.40-136.el6 will be an update
---> Package perl-Pod-Escapes.x86_64 1:1.04-130.el6_4 will be updated
---> Package perl-Pod-Escapes.x86_64 1:1.04-136.el6 will be an update
---> Package perl-Pod-Simple.x86_64 1:3.13-130.el6_4 will be updated
---> Package perl-Pod-Simple.x86_64 1:3.13-136.el6 will be an update
---> Package perl-Term-UI.x86_64 0:0.20-130.el6_4 will be updated
---> Package perl-Term-UI.x86_64 0:0.20-136.el6 will be an update
---> Package perl-Test-Harness.x86_64 0:3.17-130.el6_4 will be updated
---> Package perl-Test-Harness.x86_64 0:3.17-136.el6 will be an update
---> Package perl-Test-Simple.x86_64 0:0.92-130.el6_4 will be updated
---> Package perl-Test-Simple.x86_64 0:0.92-136.el6 will be an update
---> Package perl-Time-HiRes.x86_64 4:1.9721-130.el6_4 will be updated
---> Package perl-Time-HiRes.x86_64 4:1.9721-136.el6 will be an update
---> Package perl-Time-Piece.x86_64 0:1.15-130.el6_4 will be updated
---> Package perl-Time-Piece.x86_64 0:1.15-136.el6 will be an update
---> Package perl-core.x86_64 0:5.10.1-130.el6_4 will be updated
---> Package perl-core.x86_64 0:5.10.1-136.el6 will be an update
--> Processing Dependency: perl-CGI for package: perl-core-5.10.1-136.el6.x86_64
---> Package perl-devel.x86_64 4:5.10.1-130.el6_4 will be updated
---> Package perl-devel.x86_64 4:5.10.1-136.el6 will be an update
---> Package perl-libs.x86_64 4:5.10.1-130.el6_4 will be updated
---> Package perl-libs.x86_64 4:5.10.1-136.el6 will be an update
---> Package perl-parent.x86_64 1:0.221-130.el6_4 will be updated
---> Package perl-parent.x86_64 1:0.221-136.el6 will be an update
---> Package perl-version.x86_64 3:0.77-130.el6_4 will be updated
---> Package perl-version.x86_64 3:0.77-136.el6 will be an update
---> Package pixman.x86_64 0:0.26.2-5.el6_4 will be updated
---> Package pixman.x86_64 0:0.26.2-5.1.el6_5 will be an update
---> Package policycoreutils.x86_64 0:2.0.83-19.30.el6 will be updated
---> Package policycoreutils.x86_64 0:2.0.83-19.39.el6 will be an update
---> Package psmisc.x86_64 0:22.6-15.el6_0.1 will be updated
---> Package psmisc.x86_64 0:22.6-19.el6_5 will be an update
---> Package python.x86_64 0:2.6.6-36.el6 will be updated
---> Package python.x86_64 0:2.6.6-52.el6 will be an update
---> Package python-devel.x86_64 0:2.6.6-36.el6 will be updated
---> Package python-devel.x86_64 0:2.6.6-52.el6 will be an update
---> Package python-ethtool.x86_64 0:0.6-3.el6 will be updated
---> Package python-ethtool.x86_64 0:0.6-5.el6 will be an update
---> Package python-libs.x86_64 0:2.6.6-36.el6 will be updated
---> Package python-libs.x86_64 0:2.6.6-52.el6 will be an update
---> Package python-tools.x86_64 0:2.6.6-36.el6 will be updated
---> Package python-tools.x86_64 0:2.6.6-52.el6 will be an update
---> Package python-urlgrabber.noarch 0:3.9.1-8.el6 will be updated
---> Package python-urlgrabber.noarch 0:3.9.1-9.el6 will be an update
---> Package quota.x86_64 1:3.17-18.el6 will be updated
---> Package quota.x86_64 1:3.17-21.el6_5 will be an update
---> Package quota-devel.x86_64 1:3.17-18.el6 will be updated
---> Package quota-devel.x86_64 1:3.17-21.el6_5 will be an update
---> Package rpm.x86_64 0:4.8.0-32.el6 will be updated
---> Package rpm.x86_64 0:4.8.0-37.el6 will be an update
---> Package rpm-devel.x86_64 0:4.8.0-32.el6 will be updated
---> Package rpm-devel.x86_64 0:4.8.0-37.el6 will be an update
---> Package rpm-libs.x86_64 0:4.8.0-32.el6 will be updated
---> Package rpm-libs.x86_64 0:4.8.0-37.el6 will be an update
---> Package rpm-python.x86_64 0:4.8.0-32.el6 will be updated
---> Package rpm-python.x86_64 0:4.8.0-37.el6 will be an update
---> Package rsync.x86_64 0:3.0.6-9.el6 will be updated
---> Package rsync.x86_64 0:3.0.6-9.el6_4.1 will be an update
---> Package rsyslog.x86_64 0:5.8.10-6.el6 will be updated
---> Package rsyslog.x86_64 0:5.8.10-8.el6 will be an update
---> Package selinux-policy.noarch 0:3.7.19-195.el6_4.3 will be updated
---> Package selinux-policy.noarch 0:3.7.19-231.el6_5.1 will be an update
---> Package selinux-policy-targeted.noarch 0:3.7.19-195.el6_4.3 will be updated
---> Package selinux-policy-targeted.noarch 0:3.7.19-231.el6_5.1 will be an update
---> Package setup.noarch 0:2.8.14-20.el6 will be updated
---> Package setup.noarch 0:2.8.14-20.el6_4.1 will be an update
---> Package setuptool.x86_64 0:1.19.9-3.el6 will be updated
---> Package setuptool.x86_64 0:1.19.9-4.el6 will be an update
---> Package subversion.x86_64 0:1.6.11-9.el6_4 will be updated
---> Package subversion.x86_64 0:1.6.11-10.el6_5 will be an update
---> Package sudo.x86_64 0:1.8.6p3-7.el6 will be updated
---> Package sudo.x86_64 0:1.8.6p3-12.el6 will be an update
---> Package sysstat.x86_64 0:9.0.4-20.el6 will be updated
---> Package sysstat.x86_64 0:9.0.4-22.el6 will be an update
---> Package sysvinit-tools.x86_64 0:2.87-4.dsf.el6 will be updated
---> Package sysvinit-tools.x86_64 0:2.87-5.dsf.el6 will be an update
---> Package tkinter.x86_64 0:2.6.6-36.el6 will be updated
---> Package tkinter.x86_64 0:2.6.6-52.el6 will be an update
---> Package tzdata.noarch 0:2013b-1.el6 will be updated
---> Package tzdata.noarch 0:2014b-1.el6 will be an update
---> Package udev.x86_64 0:147-2.46.el6 will be updated
---> Package udev.x86_64 0:147-2.51.el6 will be an update
---> Package upstart.x86_64 0:0.6.5-12.el6 will be updated
---> Package upstart.x86_64 0:0.6.5-13.el6_5.3 will be an update
---> Package util-linux-ng.x86_64 0:2.17.2-12.9.el6 will be updated
---> Package util-linux-ng.x86_64 0:2.17.2-12.14.el6 will be an update
---> Package wget.x86_64 0:1.12-1.8.el6 will be updated
---> Package wget.x86_64 0:1.12-1.11.el6_5 will be an update
---> Package yum.noarch 0:3.2.29-40.el6.centos will be updated
---> Package yum.noarch 0:3.2.29-43.el6.centos will be an update
---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-14.el6 will be updated
---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-17.el6_5 will be an update
---> Package yum-utils.noarch 0:1.1.30-14.el6 will be updated
---> Package yum-utils.noarch 0:1.1.30-17.el6_5 will be an update
--> Running transaction check
---> Package irqbalance.x86_64 2:1.0.4-8.el6_5 will be an update
--> Processing Dependency: kernel >= 2.6.32-358.2.1 for package: 2:irqbalance-1.0.4-8.el6_5.x86_64
---> Package p11-kit.x86_64 0:0.18.5-2.el6_5.2 will be installed
---> Package p11-kit-trust.x86_64 0:0.18.5-2.el6_5.2 will be installed
---> Package perl-CGI.x86_64 0:3.51-136.el6 will be installed
---> Package shared-mime-info.x86_64 0:0.70-4.el6 will be installed
--> Finished Dependency Resolution
Error: Package: 2:irqbalance-1.0.4-8.el6_5.x86_64 (updates)
           Requires: kernel >= 2.6.32-358.2.1
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
checkyum version 21.1

It looks like this is because I use OVH and they use an annoying custom kernel. Any ideas?

mctDarren · Apr 8, 2014

bouvrie said:
Please be so kind to publish how to recompile.

From shell:

Code:

yum update

to make sure you have the updated openssl packages, then:

Code:

/scripts/easyapache

But if you are unsure about running such a major update to your server you should contact cPanel or an administration company to do it for you.

egohost · Apr 8, 2014

Re: OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

Currently cPanel on standard RELEASE level is distributed with OpenSSL 1.0.1e-fips 11 Feb 2013
There are no further updates as far as i can see when using the update options.

I hope that very soon cPanel will update RELEASE with 1.0.1G or greater, or at least redist with the compile option -DOPENSSL_NO_HEARTBEATS.

- - - Updated - - -

There is a full document here: http://heartbleed.com/

cPanelMichael · Apr 8, 2014

cPanel Security Team: Heartbleed Vulnerability

Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f.

This vulnerability allows an attacker to read 64 kilobyte chunks of memory from from servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.

What does this mean for cPanel servers?

cPanel & WHM does not provide any copies of the OpenSSL library. The daemons and applications shipped with cPanel & WHM link to the version of OpenSSL provided by the core operating system. RedHat 6, CentOS 6, and CloudLinux 6 provided vulnerable versions of OpenSSL 1.0.1. All three distros have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors. To update any affected servers, run “yum update” to install the patched version of OpenSSL and restart all SSL-enabled services or reboot the system.

You can ensure you are updated by running the following command:

Code:

# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

You should see the information noting the fix to CVE-2014-0160.

RHEL/CentOS 5 servers, which are using the OpenSSL 0.9.8 RPM included in the official OS repositories, are not vulnerable to the Heartbleed issue since they are using an older version of OpenSSL that never contained this vulnerability.

What steps do I need to take as an Admin/root of our servers running cPanel & WHM?

Once the RPM of OpenSSL has been updated you should reset all certificates via the Manage Service SSL Certificates interface in WHM.

Home » Service Configuration » Manage Service SSL Certificates

You will need to click the ‘Reset Certificate’ link for each service: FTP, Exim, cPanel/WHM/Webmail Service, and Dovecot or Courier Mail Server.

You should also check the SSL certificates in the Manage SSL Hosts interface of WHM.

Home » SSL/TLS » Manage SSL Hosts

Many Certificate Authorities are helping their customers regenerate SSL certificates at no cost. This may vary and your Certificate Authority should be contacted prior to any actions to ensure the proper procedures are followed.

Do we need to reset our passwords and regenerate our private and public keys on the server?

Due to the nature of the vulnerability it is impossible to know what other information, including private keys, passwords, and session ID’s, has been compromised. The attack occurs before a full connection to your server has been made, leaving no indications in any logs that an attack has occurred. It is recommended that you regenerate all SSH keys and reset all passwords across the server.

panayot · Apr 8, 2014

I guess we should change root password if we logged in WHM:2087 before updating OpenSSL?

cPanelDon · Apr 8, 2014

Jorel said:
Code:

... --> Finished Dependency Resolution Error: Package: 2:irqbalance-1.0.4-8.el6_5.x86_64 (updates) Requires: kernel >= 2.6.32-358.2.1 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest checkyum version 21.1

It looks like this is because I use OVH and they use an annoying custom kernel. Any ideas?

Try the suggestions in the output from YUM; for example:

Code:

yum upgrade --skip-broken

Thread starter	Similar threads	Forum	Replies	Date
G	Subdomain - The certificate chain failed OpenSSL’s verification (0:10:CERT_HAS_EXPIRED)	Security	19	Jul 28, 2022
A	openssl version discrepancy	Security	4	Mar 25, 2022
M	SOLVED Openssl-1.1.1n : Should we update it manually or will it be done by cpanel soon?	Security	15	Mar 16, 2022
I	OpenSSL/1.1.1g mod_bwlimited/1.4 configured	Security	1	May 16, 2020
M	How to update OpenSSL library on Dedicated Server for vulnerability "HeartBleed" bug	Security	1	Apr 10, 2014

OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

Active Member

Well-Known Member

Well-Known Member

Member

Active Member

Member

Active Member

Well-Known Member

Well-Known Member

Well-Known Member

Active Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Registered

Administrator

Well-Known Member

cPanel Quality Assurance Analyst