The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

UPdating openSSl

Discussion in 'Security' started by dmgens, Jan 28, 2010.

  1. dmgens

    dmgens Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Folks:

    what are the steps required to update openssl to 1.97k or above for a PCI compliance issue. I'm not sure where to start, are there scripts to do this? oor if not what are the steps?

    THanks
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I recommend reviewing the following documentation; included is information detailing how to check if the necessary updates for a reported vulnerability are already applied or included in the installed OpenSSL software package or RPM, (e.g., from CentOS and RHEL):
    PCI Compliance Scanning and Software Versions

    Here is a verbose example using CentOS 5.4:
    Code:
    # grep -H '' /etc/*release
    /etc/redhat-release:CentOS release 5.4 (Final)
    
    # rpm -qa | grep -i openssl | sort
    openssl-0.9.8e-12.el5_4.1
    openssl-devel-0.9.8e-12.el5_4.1
    
    # rpm -q --changelog openssl-0.9.8e-12.el5_4.1 | less
    * Thu Jan 14 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.1
    - fix CVE-2009-2409 - drop MD2 algorithm from EVP tables (#[URL="https://bugzilla.redhat.com/show_bug.cgi?id=510197"]510197[/URL])
    - fix CVE-2009-4355 - do not leak memory when CRYPTO_cleanup_all_ex_data()
      is called prematurely by application (#[URL="https://bugzilla.redhat.com/show_bug.cgi?id=546707"]546707[/URL])
    Using RPM version information like the above it is possible to inform the PCI scanning vendor so they may mark applicable issues as a false positive. For reference I've linked the Red Hat Bugzilla ID numbers in the quoted change log entries to their respective pages on the Red Hat Bugzilla web site.
     
  3. dmgens

    dmgens Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Still fighting the oopensSSL thing

    Thanks: I checked that and found that the openssl was as the PCI people said 0.9.7a so I went and installed 0.9.8l using the installation instructions in the download, the command openssl version returns 0.9.8l but apache still thinks it is 0.9.7a so I went though the easyapache script but the 0.9.7a remained, so I've missed something, some install step or something. If you or anyone has any ideas on this please let me know. Also I will send the changelog info to the PCI people.

    Thanks
     
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    It is not recommended to replace the stock RPM-installed OpenSSL version with one compiled from source; this is extremely dangerous due to the dependencies involved and the potential conflicts that can arise, including other software that is already compiled against the stock version (that was provided by the OS vendor).

    I have seen some users find success in using the directory "/opt/openssl" to store a custom install for use with recompiling Apache and PHP, but this is not recommended. The safest and recommended solution is to simply obtain proper updates from the OS vendor and ensure the OS release is the latest version. Assuming the system already has the latest version, if there is a vulnerability in the installed OS release then the software vendor (e.g., Red Hat for RHEL, or CentOS) should be notified so that they may implement and distribute a new security update.
     
  5. dmgens

    dmgens Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Thanks

    Thanks for the information

    I resolved the problem with out changing the version of openSSL
     
  6. jack01

    jack01 Well-Known Member

    Joined:
    Jul 21, 2004
    Messages:
    200
    Likes Received:
    0
    Trophy Points:
    16
    Hi dmgens,

    I would be grateful if you could explain just how you "resolved the problem with out changing the version of openSSL".

    Thanks.
     
Loading...

Share This Page