[BlueOnyx:18747] Re: OpenSSL 1.0.1q

Matt James matt at rainstorminc.com
Tue Dec 8 08:18:33 -05 2015 

Hi Michael,

Thanks for all the great info!  I’ll check again next week to see if the updates came through.

--
Matt James
RainStorm, Inc <http://rainstorminc.com/>
(207) 866-3908 x54

> On Dec 7, 2015, at 12:22 PM, Michael Stauber <mstauber at blueonyx.it> wrote:
> 
> Hi Matt,
> 
>> I recently heard about an update to OpenSSL (1.0.1q and 1.0.2e,
>> for those versions, respectively).  Looking at the RPM changelog
>> on my machine, however, doesn’t appear to show that there’s been
>> an update to 5107R.  Any news?
> 
> RedHat (and CentOS and SL for that matter) lock the version numbers for
> libraries once the OS is released. So if something got released with
> OpenSSL-1.0.1 (like EL6 did), then it usually stays with that. Often
> until the EOL of that OS. Sometimes OpenSSL gets replaced with a newer
> version during a minor release, though. But that then is never trivial
> as almost anything is compiled against OpenSSL and might then break.
> 
> Therefore RedHat usually backports fixes to the version(s) they ship and
> just bumps the release number to indicate this. The current OpenSSL on
> EL6 is openssl-1.0.1e-42.
> 
> However, there is another side-effect: As RedHat backports fixes from
> newer OpenSSL releases to their own (older) versions of OpenSSL that are
> in their shipped OS's: Sometimes the RedHat versions aren't affected by
> the bugs in first place.
> 
> So let us look at the vulnerability announcement to find out the CVE
> numbers:
> 
> https://openssl.org/news/secadv/20151203.txt
> 
> BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
> Certificate verify crash with missing PSS parameter (CVE-2015-3194)
> X509_ATTRIBUTE memory leak (CVE-2015-3195)
> Race condition handling PSK identify hint (CVE-2015-3196)
> Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
> 
> Now let us look the CVE's up at RHN:
> 
> https://access.redhat.com/security/cve/cve-2015-3193
> https://access.redhat.com/security/cve/cve-2015-3194
> https://access.redhat.com/security/cve/cve-2015-3195
> https://access.redhat.com/security/cve/cve-2015-3196
> https://access.redhat.com/security/cve/cve-2015-1794
> 
> Results:
> 
> CVE         EL5         EL6         EL7
> ---------------------------------------------
> 3193:       OK          OK          OK
> 3194:       OK          NOT OK      NOT OK
> 3195:       NOT OK      NOT OK      NOT OK
> 3196:       OK          NOT OK      OK
> 1794:       OK          OK          OK
> 
> So this is kinda hit and miss and the OpenSSL on EL5, EL6 and EL7. None
> is affected by all of it, but all are affected by some of these issues
> in one form or another.
> 
> I suspect updated RPMs will soon be available from upstream.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20151208/2d9f8d6c/attachment.html>

More information about the Blueonyx mailing list