OpenSSL vulnerability CVE-2014-0224

openssl security update, RHSA-2014:0625-1

Hi, just saw this security advisory

https://rhn.redhat.com/errata/RHSA-2014-0625.html

OpenSSL security advisory - Vulnerabilities - Web Hosting Talk

A yum update installs the new version, but do we need to recompile Apache if we've used EasyApache?

thanks

 

Re: openssl security update, RHSA-2014:0625-1

I do not believe you need to run EA, someone please correct me if I'm wrong.

You do, however, need to restart any services using SSL. A lot of times just restarting the server is easier than restarting all the individual services.

 

I first did "yum clean all" then I did "yum update openssl" and here is the output:

Loaded plugins: fastestmirror
Determining fastest mirrors
epel/metalink | 12 kB 00:00
* epel: mirror.cogentco.com
base | 3.7 kB 00:00
base/primary_db | 3.5 MB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 5.1 MB 00:00
extras | 3.4 kB 00:00
extras/primary_db | 18 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 2.9 MB 00:00
Setting up Update Process
No Packages marked for Update

Notice "No Packages marked for Update". I've tried it on two different CentOS servers, same thing. When I go to that actual mirror it is there:

Index of /pub/openssl

I don't understand what is going on, I'm not patached yet!

yum info openssl:

Version : 1.0.1e
Release : 16.el6_5.7

Why won't it download the new version?

 

Found this info:

/etc/yum.repos.d/CentOS-Base.repo

Comment out mirrorlist line and uncomment the baseurl line in each stanza.

Then run:
yum clean all
yum update openssl

Say YES to the prompt. You'll notice the updated version will not be 1.0.1h but a subversion of 1.0.1e, but it will be patched.

Now, reboot all of your services or just reboot your whole server to be sure.

Restore CentOS-Base.repo to its previous state.