CentOS announce - Apr 2014 - CVE-2014-0160 CentOS 6 openssl heartbleed workaround

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Earlier in the day today, we were made aware of a serious
issue in openssl as shipped in CentOS-6.5 ( including updates issued
since CentOS-6.5 was released ); This issue is addressed in detail at
http://heartbleed.com/

Upstream have not released a patched version of openssl, although we
are reliably informed that there is quite a bit of effort ongoing
to release a patched package soon.

As an interim workaround, we are releasing packages that disable the
exploitable code  using the published workaround( tls heartbeat );
Note that these packages do not resolve the issue, they merely
disable the feature that is being exploited.

i386:
58ac5c57e0bcc3a34434973244ddb5eaf1323ef4ff1341f8ad78ec722a794238
openssl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm
b4413e3509647ca7ad2d9d3eb7d53b367b7ea0d43a0d3553c9e517fdfc0a81a7
openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm
12e4456c9c9783fb08794d6a96b5aba4ee28d146b836d626cd1c6b073710d62a
openssl-perl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm
8fbf30e0e237a772417013e81144715d7422fcb585e58adba9635164e3598f4e
openssl-static-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm

x86_64:
58ac5c57e0bcc3a34434973244ddb5eaf1323ef4ff1341f8ad78ec722a794238
openssl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm
80d3f839551280bec1aafaacbaddde6b4112c5d64ed4f5ecd2cb3974785319c0
openssl-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm
b4413e3509647ca7ad2d9d3eb7d53b367b7ea0d43a0d3553c9e517fdfc0a81a7
openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm
fc146768d01e92c1dca6b8fffc2b272e62ee7e30c8004e64aa6c5a62707d8d30
openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm
8a91c231fe0b021613f784bac7d31e9468a2b286f75afb0276e8b4fe33020092
openssl-perl-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm
fa2d68756a47d41ee227dcdc3de878c8f4edfb1d7b17b4b96027c991406aa4ee
openssl-static-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm

- ----
Notes:
1) All versions of CentOS prior to 6.5 are unaffected.
2) the release tag in these packages is marked in a manner that the next
upstream version will override and replace these packages.

ref:
- - http://heartbleed.com/
- - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160
- - https://access.redhat.com/security/cve/CVE-2014-0160

- -- 
Karanbir Singh, Project Lead, The CentOS Project
+44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS
GnuPG Key : http://www.karan.org/publickey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNDWrUACgkQMA29nj4Tz1tYqgCfVEG1WN0hoJLbOcnZ5Fd0u9U5
JIMAoKg4xsIRFY54pnacEMwfrmWbxwVx
=8y4U
-----END PGP SIGNATURE-----

Thank you.

What will the temporary packages be called ?


-- 
Paul.
England,
EU.

   Our systems are exclusively Centos. No Micro$oft Windoze here.

On 2014-04-08, Karanbir Singh <kbsingh at centos.org>
wrote:
>
> Earlier in the day today, we were made aware of a serious
> issue in openssl as shipped in CentOS-6.5 ( including updates issued
> since CentOS-6.5 was released ); This issue is addressed in detail at
> http://heartbleed.com/
So it looks like new packages were issued by upstream pretty quickly.
So one question is, is there an easy way to know which services need to
be kicked?  I was surprised (not unpleasantly) to note that sshd is not
linked against libssl, but if you do a naive check against httpd, you
won't find it linked either--because it's mod_ssl that's linked
against
it.

--keith

-- 
kkeller at wombat.san-francisco.ca.us