OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

serichards

Well-Known Member
Dec 11, 2012
48
0
6
cPanel Access Level
Website Owner
So is OpenSSL 1.0.1e-fips 11 Feb 2013 vulnerable or not? Some say yes, others say not. I have tried the heartbleed test but it gives me an error: Uh-oh, something went wrong: tls: oversized record received with length 20291

I have done yum update, the cpanel system and server software update and yum update again and it claims there are no packages available to update so this is the latest version it seems.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
FIPS does not mitigate this, so you're probably waiting on a patch from your OS vendor. What exact version of your OS are you running?
 

panayot

Well-Known Member
Nov 18, 2004
126
0
166
You can check exact version with:

Code:
rpm -qa |grep openssl
Answer for RHEL 6/Centos 6 should be:

Code:
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
If your server is RHEL 5/Centos 5 then OpenSSL does not have the bug and its version would be something like openssl-0.9.8e
 
Last edited:

goodmove

Well-Known Member
May 12, 2003
628
1
168
The patched OpenSSL 1.0.1 RPM has already been published to the RHEL 6 and CentOS 6 repositories, so the only steps that should be necessary to update these servers are to run "yum update" to install the updated version of OpenSSL and then either fully restart all SSL-enabled services, including sshd, or reboot the server.
"yum update openssl" seems to be handling it:

Updated:
openssl.x86_64 0:1.0.1e-16.el6_5.7

Dependency Updated:
openssl-devel.x86_64 0:1.0.1e-16.el6_5.7

Do we need to do a full "yum update"?

Norman
 

serichards

Well-Known Member
Dec 11, 2012
48
0
6
cPanel Access Level
Website Owner
openssl-devel-1.0.1e-16.el6_5.7.x86_64
openssl-1.0.1e-16.el6_5.7.x86_64

Both checked a couple of hours ago and defined as the lastest.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
"yum update openssl" seems to be handling it:

Updated:
openssl.x86_64 0:1.0.1e-16.el6_5.7

Dependency Updated:
openssl-devel.x86_64 0:1.0.1e-16.el6_5.7

Do we need to do a full "yum update"?

Norman
That should handle it for this issue, but it's usually a good idea to make sure all your other RPMs are updated too.

As others have stated, be sure to restart the appropriate services (or just reboot your server).
 

Venomous21

Well-Known Member
Jun 28, 2012
85
0
6
cPanel Access Level
Root Administrator
Just want to confirm, if we are running CentOS 5.10, we are not vulnerable and no steps need to be applied?

[email protected] [/var/log]# rpm -qa |grep openssl
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1

Thank you!
 

panayot

Well-Known Member
Nov 18, 2004
126
0
166
Just want to confirm, if we are running CentOS 5.10, we are not vulnerable and no steps need to be applied?

[email protected] [/var/log]# rpm -qa |grep openssl
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1
openssl-0.9.8e-27.el5_10.1
openssl-devel-0.9.8e-27.el5_10.1

Thank you!
Yes, that is correct.

Does apache needs to be recompiled after applying the patch?
No, just stop/start
 
Last edited:

SludgeMeister

Member
May 8, 2006
12
0
151
Regarding Heartbleed bug

Hello,

I've read a few forum posts regarding this but am a little confused and would appreciate some clarification.

I checked my version of OpenSSL

[email protected] [~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[email protected] [~]
I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc.

I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server.

[email protected] [~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[email protected] [~]#
Which from what I read IS vulnerable.

However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version".

So my OpenSSL changelog output shows the following:

[email protected] [~]# rpm -q --changelog openssl-1.0.1e
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update?

Thanks
 
Last edited:

pauloray

Well-Known Member
Jan 16, 2012
74
0
56
Philippines
cPanel Access Level
Root Administrator
Code:
WHM » Software » Update System Software
, as posted by InfoPro, also works.
Mine is
Code:
checkyum version 21.1
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.adams.net
 * epel: ftp.osuosl.org
 * extras: ftp.osuosl.org
 * rpmforge: mirror.webnx.com
 * rpmfusion-free-updates: mirror.web-ster.com
 * updates: centos.mirror.facebook.net
Setting up Update Process
No Packages marked for Update
checkyum version 21.1
My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013

How can I update OpenSSL?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
Re: Regarding Heartbleed bug

Hello,

I've read a few forum posts regarding this but am a little confused and would appreciate some clarification.

I checked my version of OpenSSL



I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc.

I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server.


Which from what I read IS vulnerable.

However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version".

So my OpenSSL changelog output shows the following:



Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update?

Thanks
Your output from the changelog shows your version was backported or otherwise patched to fix this.

You can check more info about the RPM with rpm -qi openssl

Again, if your changelog shows the patch like yours does, you should be fine after restarting services.

Code:
[email protected] [~]# rpm -q --changelog openssl-1.0.1e
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
 

MaraBlue

Well-Known Member
May 3, 2005
334
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
Mine is
Code:
checkyum version 21.1
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.adams.net
 * epel: ftp.osuosl.org
 * extras: ftp.osuosl.org
 * rpmforge: mirror.webnx.com
 * rpmfusion-free-updates: mirror.web-ster.com
 * updates: centos.mirror.facebook.net
Setting up Update Process
No Packages marked for Update
checkyum version 21.1
My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013

How can I update OpenSSL?
What version of CentOS are you running? v5 isn't vulnerable.
 

serichards

Well-Known Member
Dec 11, 2012
48
0
6
cPanel Access Level
Website Owner
I'm assuming this one is ok:

rpm -qi openssl

Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CentOS
Release : 16.el6_5.7 Build Date: Tue 08 Apr 2014 03:43:19 BST
 

phoenixweb

Well-Known Member
Jun 3, 2004
70
0
156
cPanel Access Level
DataCenter Provider
I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g
I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged):

# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Setting up Update Process
No Packages marked for Update


Why CPanel is using "mirrors.prometeus.net" as repository?
and why is not updated with latest patch?

Thanks,
Max
 

garhiyal

Member
PartnerNOC
Nov 10, 2010
5
0
51
Hi,

W.r.t. this OpenSSL vulnerability, I have opened a ticket ID 4794343. Though I could have posted my questions in here, but due to general security reasons, I had to put them in the ticket.

I request cPanel techs to kindly go through it. It has been nearly 2 hrs. since I opened the ticket.

Thanks

Kirti
 

InterServed

Well-Known Member
Jul 10, 2007
266
8
68
cPanel Access Level
DataCenter Provider
You will not receive 1.0.1g via centos repository no matter what you will try. You will get an updated 1.0.1e that contains a patch/fix for the described vulnerability.

As described earlier on this topic , you can check this via :
Code:
rpm -q --changelog openssl-1.0.1e|head
which should return:
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g
I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged):

# yum update openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.prometeus.net
* extras: mirrors.prometeus.net
* updates: mirrors.prometeus.net
Setting up Update Process
No Packages marked for Update


Why CPanel is using "mirrors.prometeus.net" as repository?
and why is not updated with latest patch?

Thanks,
Max