OpenSSL Security Advisory (CVE-2012-2110) [19 Apr 2012]

[rezman]

I'm wondering if the patch for this will be pushed out within the next 24-48 hours to fix this or if people should manually patch.

If manually patching, what would be the best way to go about doing it? I'm always nervous with recompiling anything dealing with OpenSSL.

Security Info:
- http://www.openssl.org/news/secadv_20120419.txt
- [Full-disclosure] incorrect integer conversions in OpenSSL can result in memory corruption.

 

[raysolomon]

FYI - its already fixed. It says so if you read the OpenSSL Security Advisory you posted

Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and
to Adam Langley <[email protected]> for fixing it.

Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.

 

[rezman]

FYI - its already fixed. It says so if you read the OpenSSL Security Advisory you posted

The source code has been fixed yes. Now it's up to people to download and install it. Your quote from the advisory even says "Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v".

I'm currently running

openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

 

[Infopro]

Keeping in mind that CVE is from yesterday?, I think you'll find this item in the cPanel Documentation useful:
PCI Compliance Scanning and Software Versions - cPanel Documentation

If I follow those instructions and check my EDGE server I get this:

[root /]# rpm --changelog -q openssl-0.9.8e-22.el5_8.1|less
* [B]Mon Mar 19 2012[/B] Tomas Mraz <[email protected]> 0.9.8e-22.1
- fix problem with the SGC restart patch that might terminate handshake
  incorrectly
- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)
- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)

-snipped off at the legs here-

I would think if your system is keeping itself up to date that this would be patched when a patch is pushed by your OS vendor.

 

[Infopro]

If I rebuild the RPM database via WHM I see this:
D: adding "0.9.8e-22.el5_8.1" to Provideversion index.

 

[rezman]

@Infopro

Thank you, that is a much more helpful reply. Yours is the same match-up as mine so I'll just wait for RH to push the updates out.