[BlueOnyx:18740] Re: OpenSSL 1.0.1q

Michael Stauber mstauber at blueonyx.it
Mon Dec 7 12:22:01 -05 2015 

Hi Matt,

> I recently heard about an update to OpenSSL (1.0.1q and 1.0.2e,
> for those versions, respectively).  Looking at the RPM changelog
> on my machine, however, doesn’t appear to show that there’s been
> an update to 5107R.  Any news?

RedHat (and CentOS and SL for that matter) lock the version numbers for
libraries once the OS is released. So if something got released with
OpenSSL-1.0.1 (like EL6 did), then it usually stays with that. Often
until the EOL of that OS. Sometimes OpenSSL gets replaced with a newer
version during a minor release, though. But that then is never trivial
as almost anything is compiled against OpenSSL and might then break.

Therefore RedHat usually backports fixes to the version(s) they ship and
just bumps the release number to indicate this. The current OpenSSL on
EL6 is openssl-1.0.1e-42.

However, there is another side-effect: As RedHat backports fixes from
newer OpenSSL releases to their own (older) versions of OpenSSL that are
in their shipped OS's: Sometimes the RedHat versions aren't affected by
the bugs in first place.

So let us look at the vulnerability announcement to find out the CVE
numbers:

https://openssl.org/news/secadv/20151203.txt

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
X509_ATTRIBUTE memory leak (CVE-2015-3195)
Race condition handling PSK identify hint (CVE-2015-3196)
Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)

Now let us look the CVE's up at RHN:

https://access.redhat.com/security/cve/cve-2015-3193
https://access.redhat.com/security/cve/cve-2015-3194
https://access.redhat.com/security/cve/cve-2015-3195
https://access.redhat.com/security/cve/cve-2015-3196
https://access.redhat.com/security/cve/cve-2015-1794

Results:

CVE         EL5         EL6         EL7
---------------------------------------------
3193:       OK          OK          OK
3194:       OK          NOT OK      NOT OK
3195:       NOT OK      NOT OK      NOT OK
3196:       OK          NOT OK      OK
1794:       OK          OK          OK

So this is kinda hit and miss and the OpenSSL on EL5, EL6 and EL7. None
is affected by all of it, but all are affected by some of these issues
in one form or another.

I suspect updated RPMs will soon be available from upstream.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list