OpenSSL Security Advisory (CVE-2012-2110) [19 Apr 2012]

rezman

Well-Known Member
Feb 3, 2011
45
0
56
USA
cPanel Access Level
Root Administrator

raysolomon

Active Member
Oct 12, 2006
29
2
153
FYI - its already fixed. It says so if you read the OpenSSL Security Advisory you posted ;)


Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and
to Adam Langley <[email protected]> for fixing it.

Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.
 

rezman

Well-Known Member
Feb 3, 2011
45
0
56
USA
cPanel Access Level
Root Administrator
FYI - its already fixed. It says so if you read the OpenSSL Security Advisory you posted ;)
The source code has been fixed yes. Now it's up to people to download and install it. Your quote from the advisory even says "Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v".

I'm currently running
Code:
openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Keeping in mind that CVE is from yesterday?, I think you'll find this item in the cPanel Documentation useful:
PCI Compliance Scanning and Software Versions - cPanel Documentation

If I follow those instructions and check my EDGE server I get this:
Code:
[root /]# rpm --changelog -q openssl-0.9.8e-22.el5_8.1|less
* [B]Mon Mar 19 2012[/B] Tomas Mraz <[email protected]> 0.9.8e-22.1
- fix problem with the SGC restart patch that might terminate handshake
  incorrectly
- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)
- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)

-snipped off at the legs here-
I would think if your system is keeping itself up to date that this would be patched when a patch is pushed by your OS vendor.
 

rezman

Well-Known Member
Feb 3, 2011
45
0
56
USA
cPanel Access Level
Root Administrator
@Infopro

Thank you, that is a much more helpful reply. Yours is the same match-up as mine so I'll just wait for RH to push the updates out.