Upgrade openssl for CentOS 6.5 64-bit

Portal Home > Knowledgebase > Articles Database > Upgrade openssl for CentOS 6.5 64-bit

Posted by Kailash12, 04-11-2014, 02:16 AM
Hi, This is in reference to recent OpenSSL vulnerability. I tried to update it via yum but it shows no updates available. Following are the information: ------------------------------------------------------------- root@server [~]# yum info openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * epel: mirror.steadfast.net base | 3.7 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 Installed Packages Name : openssl Arch : x86_64 Version : 1.0.1e Release : 16.el6_5.7 Size : 4.0 M Repo : installed From repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols. Available Packages Name : openssl Arch : i686 Version : 1.0.1e Release : 16.el6_5.7 Size : 1.5 M Repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols. ------------------------------------------------------------- ------------------------------------------------------------- root@server [~]# yum update openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * epel: mirror.steadfast.net Setting up Update Process No Packages marked for Update root@server []# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 root@server [~]# ------------------------------------------------------------- Server OS: CentOS release 6.5 (Final) x86_64 bit Am I safe or I need to take further action? Thanks!
Posted by ambadydotnet, 04-11-2014, 02:36 AM
I think 1.0.1e version is affected. You should upgrade to 1.0.1g
Posted by Srv24x7, 04-11-2014, 03:30 AM
Hi, An official patch for this has been released and has been updated in the centos mirrors. You can check the below announcement from centos http://lists.centos.org/pipermail/ce...il/020249.html Additionally, please check whether current rpm involves this patch. rpm -q openssl rpm -q --changelog | grep CVE-2014-0160 [- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension]
Posted by Kailash12, 04-11-2014, 03:41 AM
Thanks for the information. I just verified it: root@server [~]# rpm -q openssl openssl-1.0.1e-16.el6_5.7.x86_64 root@server [~]# rpm -q --changelog openssl-1.0.1e-16.el6_5.7.x86_64 | grep CVE-2014-0160 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension So I am good now. Thanks!
Posted by NoSupportLinuxHostin, 04-11-2014, 03:04 PM
That is correct. The patches are back ported into OpenSSL 1.0.1e. You do not need 1.0.1g. Here is a command to list security updates included in your current version of OpenSSL: rpm -q --changelog openssl | grep -iE 'security|cve|vuln' As long as the following line is listed, then you are safe: - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Posted by VoodooServers, 04-11-2014, 06:03 PM
It's worth mentioning that updating OpenSSL is pointless if you don't restart your web server, and possibly any other application using the OpenSSL library.
Posted by un!ty, 04-12-2014, 05:19 AM
I followed the instructions and got the line following line. - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension Now i am safe? and should i need to restart the server? or its don't required server restart. Thanks.
Posted by Criot, 04-12-2014, 08:19 AM
You'd need to restart all of the services which use OpenSSL, we simply restarted our servers as it gave us chance to update Kernels as well.
Posted by un!ty, 04-12-2014, 08:44 AM
I did it now see what happen hope so that server will start work as normal