OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk
- Thread starter bouvrie
- Start date
So is OpenSSL 1.0.1e-fips 11 Feb 2013 vulnerable or not? Some say yes, others say not. I have tried the heartbleed test but it gives me an error: Uh-oh, something went wrong: tls: oversized record received with length 20291
I have done yum update, the cpanel system and server software update and yum update again and it claims there are no packages available to update so this is the latest version it seems.
I have done yum update, the cpanel system and server software update and yum update again and it claims there are no packages available to update so this is the latest version it seems.
FIPS does not mitigate this, so you're probably waiting on a patch from your OS vendor. What exact version of your OS are you running?
You can check exact version with:
Answer for RHEL 6/Centos 6 should be:
If your server is RHEL 5/Centos 5 then OpenSSL does not have the bug and its version would be something like openssl-0.9.8e
Code:
rpm -qa |grep openssl
Code:
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
Last edited:
"yum update openssl" seems to be handling it:The patched OpenSSL 1.0.1 RPM has already been published to the RHEL 6 and CentOS 6 repositories, so the only steps that should be necessary to update these servers are to run "yum update" to install the updated version of OpenSSL and then either fully restart all SSL-enabled services, including sshd, or reboot the server.
Updated:
openssl.x86_64 0:1.0.1e-16.el6_5.7
Dependency Updated:
openssl-devel.x86_64 0:1.0.1e-16.el6_5.7
Do we need to do a full "yum update"?
Norman
openssl-devel-1.0.1e-16.el6_5.7.x86_64
openssl-1.0.1e-16.el6_5.7.x86_64
Both checked a couple of hours ago and defined as the lastest.
openssl-1.0.1e-16.el6_5.7.x86_64
Both checked a couple of hours ago and defined as the lastest.
No. that is enough. Just don't forget to restart:Do we need to do a full "yum update"?
Norman
- cpanel
- httpd
- exim
- dovecot
- pure-ftpd
- mysql
- any other services you might have installed that use ssl (like RAID controller managers)
Last edited:
That should handle it for this issue, but it's usually a good idea to make sure all your other RPMs are updated too."yum update openssl" seems to be handling it:
Updated:
openssl.x86_64 0:1.0.1e-16.el6_5.7
Dependency Updated:
openssl-devel.x86_64 0:1.0.1e-16.el6_5.7
Do we need to do a full "yum update"?
Norman
As others have stated, be sure to restart the appropriate services (or just reboot your server).
Just want to confirm, if we are running CentOS 5.10, we are not vulnerable and no steps need to be applied?
[email protected] [/var/log]# rpm -qa |grep openssl
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
Thank you!
[email protected] [/var/log]# rpm -qa |grep openssl
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
Thank you!
Yes, that is correct.Just want to confirm, if we are running CentOS 5.10, we are not vulnerable and no steps need to be applied?
[email protected] [/var/log]# rpm -qa |grep openssl
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
Thank you!
No, just stop/startDoes apache needs to be recompiled after applying the patch?
Last edited:
Regarding Heartbleed bug
Hello,
I've read a few forum posts regarding this but am a little confused and would appreciate some clarification.
I checked my version of OpenSSL
I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server.
However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version".
So my OpenSSL changelog output shows the following:
Thanks
Hello,
I've read a few forum posts regarding this but am a little confused and would appreciate some clarification.
I checked my version of OpenSSL
I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc.
I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server.
Which from what I read IS vulnerable.
However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version".
So my OpenSSL changelog output shows the following:
Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update?[email protected] [~]# rpm -q --changelog openssl-1.0.1e
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Thanks
Last edited:
Mine is, as posted by InfoPro, also works.Code:WHM » Software » Update System Software
Code:
checkyum version 21.1
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.adams.net
* epel: ftp.osuosl.org
* extras: ftp.osuosl.org
* rpmforge: mirror.webnx.com
* rpmfusion-free-updates: mirror.web-ster.com
* updates: centos.mirror.facebook.net
Setting up Update Process
No Packages marked for Update
checkyum version 21.1How can I update OpenSSL?
Re: Regarding Heartbleed bug
You can check more info about the RPM with rpm -qi openssl
Again, if your changelog shows the patch like yours does, you should be fine after restarting services.
Your output from the changelog shows your version was backported or otherwise patched to fix this.Hello,
I've read a few forum posts regarding this but am a little confused and would appreciate some clarification.
I checked my version of OpenSSL
I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc.
I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server.
Which from what I read IS vulnerable.
However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version".
So my OpenSSL changelog output shows the following:
Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update?
Thanks
You can check more info about the RPM with rpm -qi openssl
Again, if your changelog shows the patch like yours does, you should be fine after restarting services.
Code:
[email protected] [~]# rpm -q --changelog openssl-1.0.1e
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extensionWhat version of CentOS are you running? v5 isn't vulnerable.Mine is
My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013Code:checkyum version 21.1 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.adams.net * epel: ftp.osuosl.org * extras: ftp.osuosl.org * rpmforge: mirror.webnx.com * rpmfusion-free-updates: mirror.web-ster.com * updates: centos.mirror.facebook.net Setting up Update Process No Packages marked for Update checkyum version 21.1
How can I update OpenSSL?
I'm assuming this one is ok:
rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CentOS
Release : 16.el6_5.7 Build Date: Tue 08 Apr 2014 03:43:19 BST
rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CentOS
Release : 16.el6_5.7 Build Date: Tue 08 Apr 2014 03:43:19 BST
I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g
I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged):
# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Setting up Update Process
No Packages marked for Update
Why CPanel is using "mirrors.prometeus.net" as repository?
and why is not updated with latest patch?
Thanks,
Max
I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged):
# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Setting up Update Process
No Packages marked for Update
Why CPanel is using "mirrors.prometeus.net" as repository?
and why is not updated with latest patch?
Thanks,
Max
Hi,
W.r.t. this OpenSSL vulnerability, I have opened a ticket ID 4794343. Though I could have posted my questions in here, but due to general security reasons, I had to put them in the ticket.
I request cPanel techs to kindly go through it. It has been nearly 2 hrs. since I opened the ticket.
Thanks
Kirti
W.r.t. this OpenSSL vulnerability, I have opened a ticket ID 4794343. Though I could have posted my questions in here, but due to general security reasons, I had to put them in the ticket.
I request cPanel techs to kindly go through it. It has been nearly 2 hrs. since I opened the ticket.
Thanks
Kirti
You will not receive 1.0.1g via centos repository no matter what you will try. You will get an updated 1.0.1e that contains a patch/fix for the described vulnerability.
As described earlier on this topic , you can check this via :
which should return:
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
As described earlier on this topic , you can check this via :
Code:
rpm -q --changelog openssl-1.0.1e|head* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g
I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged):
# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Setting up Update Process
No Packages marked for Update
Why CPanel is using "mirrors.prometeus.net" as repository?
and why is not updated with latest patch?
Thanks,
Max