The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Updating OpenSSL

Discussion in 'General Discussion' started by Mini, Oct 6, 2005.

  1. Mini

    Mini Well-Known Member

    Joined:
    Mar 4, 2005
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    How I update OpenSSL? I have OpenSSL 0.9.7a that cPanel installed and RKHunter is saying that it's old and insecure.

    Thanks!
    Mini
     
  2. BenThomas

    BenThomas Well-Known Member

    Joined:
    Feb 12, 2004
    Messages:
    598
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Texas USA
    cPanel Access Level:
    Root Administrator
    Information about your system is always helpful when posting system specific questions.

    Try "/scripts/ensurerpm openssl". And just because it's not the correct version number, doesn't necessarily mean that it's insecure. Redhat often patches older versions to remove the vulnerabilty, without using the absolute latest version. You'll need to research the vendor supplied rpm for the real details of the matter.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. If you do a search on the forums for openssl you'll see many a discussion on the topic. If you're using just about any support RH or derivative OS, then it's most likely a false-positive as the rkhunter report itself says may be the case. If so, then it is not advisable to upgrade openssl at all. As usual, search on the forums is your friend here.
     
  4. Mini

    Mini Well-Known Member

    Joined:
    Mar 4, 2005
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Sorry,

    It's CentOS 4.1.

    Thanks!
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then, so long as you have yum setup and working it will have back-ported security fixes and doesn't need upgrading.
     
  6. fcsnc

    fcsnc Well-Known Member

    Joined:
    Mar 19, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    North Carolina
    Ahem

    This is the CPanel forums, right?

    How come the "Apache Security/Version Table" section of the CPanel/WHM News on my root WHM now reads, for openSSL, latest version = 0.9.7h, installed version = 0.9.7a, and the padlock is open and red?

    WHM 10.6.0 cPanel 10.8.0-S59
    RedHat 9 i686 - WHM X v3.1.0

    Huh?
     
  7. flash7

    flash7 Well-Known Member

    Joined:
    Feb 16, 2004
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    OpenSSL updated yesterday by RHE3 to 0.9.6b, whoever in WHM
    Latest Version 0.9.7h
    Installed Version 0.9.7a

    why?
     
  8. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I'm getting the same in cPanel/WHM news in WHM. Odd but hopefully not too much to worry about as I try to give cPanel the benefit of the doubt and assume that, even though this looks bad, it isn't really. Hopefully I'm not just being blissfully ignorant of something crucially important here!

    Another odd thing is that when I run openssl version from shell I get:

    Code:
    OpenSSL 0.9.7a Feb 19 2003
    however, as you quite rightly mention, RH/CentOS released a new version of openSSL and indeed yum happily acquired this new version:

    Code:
    I will do the following:
    [update: openssl096b 0.9.6b-16.42.i386]
    Downloading Packages
    Getting openssl096b-0.9.6b-16.42.i386.rpm
    
    openssl096b-0.9.6b-16.42.   0% |                         |    0 B    --:-- ETA 
    openssl096b-0.9.6b-16.42.  54% |=============            | 336 kB    00:00 ETA 
    openssl096b-0.9.6b-16.42. 100% |=========================| 615 kB    00:00  
    It's slightly odd that yum acquired and installed OpenSSL 0.9.6b and openssl version reports a different version.

    Some form of clarification here as to what the 'correct' situation should be would be nice.
     
  9. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    The latest is openssl-0.9.8a
    OpenSSL 0.9.7i


    http://www.openssl.org/

    Looks like WHM is not picking up the installed versions correctly?
    All on FREEBSD??
     
    #9 easyhoster1, Nov 3, 2005
    Last edited: Nov 6, 2005
  10. flash7

    flash7 Well-Known Member

    Joined:
    Feb 16, 2004
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    [Thu Nov 3 09:12:35 2005] [notice]
    Apache/1.3.34 (Unix)
    mod_ssl/2.8.25
    OpenSSL/0.9.7a
    mod_auth_passthrough/1.8
    mod_log_bytes/1.2
    mod_bwlimited/1.4
    PHP/4.4.1

    :confused:
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Looks like cPanel have fallen into the RH backport trap over openssl since fixed versions are out for RHE and CentOS.
     
  12. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16

    We are all FREEBSD and still persist.
     
  13. rebelo

    rebelo Active Member

    Joined:
    Jun 30, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    the dark side of the moon
    A bit confused here.
    Does it means the openssl 0.9.6b is ok for redhat 7.3i686 ?
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Are you using FedoraLegacy for RH7.3 updates? If not, you should be. If you are, then you're still currently vulnerable by the looks of it, since they don't appear to have released an update to openssl recently. So, you'll probably have to either: upgrade it all by hand; hope you don't fall foul of a compromise; upgrade your server to a supported OS.
     
  15. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Hmmm...can't yum any more

    Has anyone else had this problem?

    root@host [~]# /scripts/ensurerpm openssl
    Setting up Install Process
    Setting up Repos
    http://centos.hrnoc.net/centos-4/4.1/updates/i386/repodata/repomd.xml: [Errno 4] IOError: HTTP Error 404: Not Found
    Trying other mirror.
    Cannot open/read repomd.xml file for repository: update
    failure: repodata/repomd.xml from update: [Errno 256] No more mirrors to try.

    I understand that the repository is now /4/ rather than /4.1/ but can't figure out where the data's kept. yum.conf is empty. up2date works but doens't show the new OpenSSL.

    I'm probably justifiably afraid of going to CentOS 4.2 since WHM doesn't list it as being supported yet!
     
  16. allpar

    allpar Active Member

    Joined:
    Sep 16, 2005
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Update: OK, I found the repository after all. It's in the folder /etc/yum.repos.d if anyone else had a problem ;)

    Changing 4.1 to 4 throughout seems to work.
     
  17. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I upgraded OpenSSL and OpenSSH according to instructions posted here: http://www.eth0.us/sshd. However, the cPanel status page still displays "broken lock" and indicates version 0.9.7a install, but when performing command via SSH I get:

    OpenSSH_4.1p1, OpenSSL 0.9.8 05 Jul 2005

    Do I do anything wrong? Is there any one that could point me in the right direction?

    Thank you.

    Cretu
     
  18. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    I am having the same problem. I upgraded using the same instructions posted at that link but WHM still shows v0.9.7a. Anyone have thoughts?


     
  19. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    I ran the script and got this

    When I check the openssl version from command line I get

     
  20. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    So long as you have installed the openssl-0.9.7a-33.17 rpm then you have the backported RHE version.
     
Loading...

Share This Page