Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

Discussion in 'Security' started by bouvrie, Apr 8, 2014.

  1. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Probably a good idea.
     
  2. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    So is OpenSSL 1.0.1e-fips 11 Feb 2013 vulnerable or not? Some say yes, others say not. I have tried the heartbleed test but it gives me an error: Uh-oh, something went wrong: tls: oversized record received with length 20291

    I have done yum update, the cpanel system and server software update and yum update again and it claims there are no packages available to update so this is the latest version it seems.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    FIPS does not mitigate this, so you're probably waiting on a patch from your OS vendor. What exact version of your OS are you running?
     
  4. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    You can check exact version with:

    Code:
    rpm -qa |grep openssl
    Answer for RHEL 6/Centos 6 should be:

    Code:
    openssl-1.0.1e-16.el6_5.7.x86_64
    openssl-devel-1.0.1e-16.el6_5.7.x86_64
    
    If your server is RHEL 5/Centos 5 then OpenSSL does not have the bug and its version would be something like openssl-0.9.8e
     
    #24 panayot, Apr 8, 2014
    Last edited: Apr 8, 2014
  5. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    166
    "yum update openssl" seems to be handling it:

    Updated:
    openssl.x86_64 0:1.0.1e-16.el6_5.7

    Dependency Updated:
    openssl-devel.x86_64 0:1.0.1e-16.el6_5.7

    Do we need to do a full "yum update"?

    Norman
     
  6. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    openssl-devel-1.0.1e-16.el6_5.7.x86_64
    openssl-1.0.1e-16.el6_5.7.x86_64

    Both checked a couple of hours ago and defined as the lastest.
     
  7. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    No. that is enough. Just don't forget to restart:
    • cpanel
    • httpd
    • exim
    • dovecot
    • pure-ftpd
    • mysql
    • any other services you might have installed that use ssl (like RAID controller managers)
     
    #27 panayot, Apr 8, 2014
    Last edited: Apr 8, 2014
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    That should handle it for this issue, but it's usually a good idea to make sure all your other RPMs are updated too.

    As others have stated, be sure to restart the appropriate services (or just reboot your server).
     
  9. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    134
    Likes Received:
    2
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Does apache needs to be recompiled after applying the patch?
     
  10. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Just want to confirm, if we are running CentOS 5.10, we are not vulnerable and no steps need to be applied?

    root@ [/var/log]# rpm -qa |grep openssl
    openssl-0.9.8e-27.el5_10.1
    openssl-devel-0.9.8e-27.el5_10.1
    openssl-0.9.8e-27.el5_10.1
    openssl-devel-0.9.8e-27.el5_10.1

    Thank you!
     
  11. panayot

    panayot Well-Known Member

    Joined:
    Nov 18, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    166
    Yes, that is correct.

    No, just stop/start
     
    #31 panayot, Apr 8, 2014
    Last edited: Apr 8, 2014
  12. SludgeMeister

    SludgeMeister Member

    Joined:
    May 8, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    Regarding Heartbleed bug

    Hello,

    I've read a few forum posts regarding this but am a little confused and would appreciate some clarification.

    I checked my version of OpenSSL

    I have used "yum update" and "yum update openssl" and Update server / system software via WHM and it appears no updates are made (from the output). I have restarted the server etc.

    I am on CentOS 6 and only installed WHM/Cpanel about 7 days ago on this new server.

    Which from what I read IS vulnerable.

    However, I also read that if the changelog has an update from Tomas Mraz regarding this, that I am using the "safe version".

    So my OpenSSL changelog output shows the following:

    Am I right in assuming I am good to go here? I am just confused as the version of OpenSSL is reported as OpenSSL 1.0.1e-fips 11 Feb 2013 and was reported as this before I attempted any update?

    Thanks
     
    #32 SludgeMeister, Apr 8, 2014
    Last edited: Apr 8, 2014
  13. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Code:
    WHM » Software » Update System Software
    , as posted by InfoPro, also works.
     
  14. pauloray

    pauloray Well-Known Member

    Joined:
    Jan 16, 2012
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    56
    Location:
    Philippines
    cPanel Access Level:
    Root Administrator
    Mine is
    Code:
    checkyum version 21.1
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirrors.adams.net
     * epel: ftp.osuosl.org
     * extras: ftp.osuosl.org
     * rpmforge: mirror.webnx.com
     * rpmfusion-free-updates: mirror.web-ster.com
     * updates: centos.mirror.facebook.net
    Setting up Update Process
    No Packages marked for Update
    checkyum version 21.1
    My VPS has OpenSSL 1.0.1e-fips 11 Feb 2013

    How can I update OpenSSL?
     
  15. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Re: Regarding Heartbleed bug

    Your output from the changelog shows your version was backported or otherwise patched to fix this.

    You can check more info about the RPM with rpm -qi openssl

    Again, if your changelog shows the patch like yours does, you should be fine after restarting services.

    Code:
    root@node [~]# rpm -q --changelog openssl-1.0.1e
    * Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension 
     
  16. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    What version of CentOS are you running? v5 isn't vulnerable.
     
  17. serichards

    serichards Well-Known Member

    Joined:
    Dec 11, 2012
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    I'm assuming this one is ok:

    rpm -qi openssl

    Name : openssl Relocations: (not relocatable)
    Version : 1.0.1e Vendor: CentOS
    Release : 16.el6_5.7 Build Date: Tue 08 Apr 2014 03:43:19 BST
     
  18. phoenixweb

    phoenixweb Well-Known Member

    Joined:
    Jun 3, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    DataCenter Provider
    I have upgraded the kernel and everything else, but openSSL is not upgrading to 1.0.1g
    I have tried several times but actually CENTOS repository still delivery the 1.0.1e (which is bugged):

    # yum update openssl
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * base: mirrors.prometeus.net
    * extras: mirrors.prometeus.net
    * updates: mirrors.prometeus.net
    Setting up Update Process
    No Packages marked for Update


    Why CPanel is using "mirrors.prometeus.net" as repository?
    and why is not updated with latest patch?

    Thanks,
    Max
     
  19. garhiyal

    garhiyal Member

    Joined:
    Nov 10, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    51
    Hi,

    W.r.t. this OpenSSL vulnerability, I have opened a ticket ID 4794343. Though I could have posted my questions in here, but due to general security reasons, I had to put them in the ticket.

    I request cPanel techs to kindly go through it. It has been nearly 2 hrs. since I opened the ticket.

    Thanks

    Kirti
     
  20. InterServed

    InterServed Well-Known Member

    Joined:
    Jul 10, 2007
    Messages:
    258
    Likes Received:
    3
    Trophy Points:
    68
    cPanel Access Level:
    DataCenter Provider
    You will not receive 1.0.1g via centos repository no matter what you will try. You will get an updated 1.0.1e that contains a patch/fix for the described vulnerability.

    As described earlier on this topic , you can check this via :
    Code:
    rpm -q --changelog openssl-1.0.1e|head
    which should return:
    * Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
    - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

     
Loading...

Share This Page