Karanbir Singh
2014-Apr-08 02:11 UTC
[CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Earlier in the day today, we were made aware of a serious issue in openssl as shipped in CentOS-6.5 ( including updates issued since CentOS-6.5 was released ); This issue is addressed in detail at http://heartbleed.com/ Upstream have not released a patched version of openssl, although we are reliably informed that there is quite a bit of effort ongoing to release a patched package soon. As an interim workaround, we are releasing packages that disable the exploitable code using the published workaround( tls heartbeat ); Note that these packages do not resolve the issue, they merely disable the feature that is being exploited. i386: 58ac5c57e0bcc3a34434973244ddb5eaf1323ef4ff1341f8ad78ec722a794238 openssl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm b4413e3509647ca7ad2d9d3eb7d53b367b7ea0d43a0d3553c9e517fdfc0a81a7 openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm 12e4456c9c9783fb08794d6a96b5aba4ee28d146b836d626cd1c6b073710d62a openssl-perl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm 8fbf30e0e237a772417013e81144715d7422fcb585e58adba9635164e3598f4e openssl-static-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm x86_64: 58ac5c57e0bcc3a34434973244ddb5eaf1323ef4ff1341f8ad78ec722a794238 openssl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm 80d3f839551280bec1aafaacbaddde6b4112c5d64ed4f5ecd2cb3974785319c0 openssl-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm b4413e3509647ca7ad2d9d3eb7d53b367b7ea0d43a0d3553c9e517fdfc0a81a7 openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm fc146768d01e92c1dca6b8fffc2b272e62ee7e30c8004e64aa6c5a62707d8d30 openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm 8a91c231fe0b021613f784bac7d31e9468a2b286f75afb0276e8b4fe33020092 openssl-perl-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm fa2d68756a47d41ee227dcdc3de878c8f4edfb1d7b17b4b96027c991406aa4ee openssl-static-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm - ---- Notes: 1) All versions of CentOS prior to 6.5 are unaffected. 2) the release tag in these packages is marked in a manner that the next upstream version will override and replace these packages. ref: - - http://heartbleed.com/ - - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160 - - https://access.redhat.com/security/cve/CVE-2014-0160 - -- Karanbir Singh, Project Lead, The CentOS Project +44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS GnuPG Key : http://www.karan.org/publickey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNDWrUACgkQMA29nj4Tz1tYqgCfVEG1WN0hoJLbOcnZ5Fd0u9U5 JIMAoKg4xsIRFY54pnacEMwfrmWbxwVx =8y4U -----END PGP SIGNATURE-----
Always Learning
2014-Apr-08 02:30 UTC
[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Thank you. What will the temporary packages be called ? -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here.
Keith Keller
2014-Apr-08 06:56 UTC
[CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
On 2014-04-08, Karanbir Singh <kbsingh at centos.org> wrote:> > Earlier in the day today, we were made aware of a serious > issue in openssl as shipped in CentOS-6.5 ( including updates issued > since CentOS-6.5 was released ); This issue is addressed in detail at > http://heartbleed.com/So it looks like new packages were issued by upstream pretty quickly. So one question is, is there an easy way to know which services need to be kicked? I was surprised (not unpleasantly) to note that sshd is not linked against libssl, but if you do a naive check against httpd, you won't find it linked either--because it's mod_ssl that's linked against it. --keith -- kkeller at wombat.san-francisco.ca.us