The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL Security Advisory (CVE-2012-2110) [19 Apr 2012]

Discussion in 'Security' started by rezman, Apr 19, 2012.

  1. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
  2. raysolomon

    raysolomon Member

    Joined:
    Oct 12, 2006
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    FYI - its already fixed. It says so if you read the OpenSSL Security Advisory you posted ;)


     
  3. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    The source code has been fixed yes. Now it's up to people to download and install it. Your quote from the advisory even says "Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v".

    I'm currently running
    Code:
    openssl version
    OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Keeping in mind that CVE is from yesterday?, I think you'll find this item in the cPanel Documentation useful:
    PCI Compliance Scanning and Software Versions - cPanel Documentation

    If I follow those instructions and check my EDGE server I get this:
    Code:
    [root /]# rpm --changelog -q openssl-0.9.8e-22.el5_8.1|less
    * [B]Mon Mar 19 2012[/B] Tomas Mraz <tmraz@redhat.com> 0.9.8e-22.1
    - fix problem with the SGC restart patch that might terminate handshake
      incorrectly
    - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)
    - fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)
    
    -snipped off at the legs here-
    I would think if your system is keeping itself up to date that this would be patched when a patch is pushed by your OS vendor.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If I rebuild the RPM database via WHM I see this:
    D: adding "0.9.8e-22.el5_8.1" to Provideversion index.
     
  6. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    @Infopro

    Thank you, that is a much more helpful reply. Yours is the same match-up as mine so I'll just wait for RH to push the updates out.
     
Loading...

Share This Page