Hi Team, I have a centos 7 running server with openssl version openssl-1.0.1e-51.el7_2.4.x86_64, I have received a set of vulnerability from security team, can anyone tell me as per below CVE do I need to update my openssl version to 1.0.1t? Or the current version which we have is safe. CVE-2016-0701, CVE-2015-3197 CVE-2015-4000 CVE-2015-0204 CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288 CVE-2015-0292, CVE-2014-8176 Thanks Aswathi ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com
On 12 May 2016 at 09:28, <aswathi.ok at accenture.com> wrote:> Hi Team, > > I have a centos 7 running server with openssl version > openssl-1.0.1e-51.el7_2.4.x86_64, I have received a set of vulnerability > from security team, can anyone tell me as per below CVE do I need to update > my openssl version to 1.0.1t? Or the current version which we have is safe. > > CVE-2016-0701, CVE-2015-3197 > > CVE-2015-4000 > > CVE-2015-0204 > > CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, > CVE-2015-0288 > > CVE-2015-0292, CVE-2014-8176 > > > >Send them this link about RHEL backports - 1.0.1t won't be in EL7. https://access.redhat.com/security/updates/backporting You can check the CVE database heer to see what RH has to say about an issue and if it affects them: https://access.redhat.com/security/security-updates/#/ Also don't underestimate the power of rpm -q --changelog <packagename> | grep <CVE-issue> ;)
On 05/12/2016 03:28 AM, aswathi.ok at accenture.com wrote:> Hi Team, > > I have a centos 7 running server with openssl version openssl-1.0.1e-51.el7_2.4.x86_64, I have received a set of vulnerability from security team, can anyone tell me as per below CVE do I need to update my openssl version to 1.0.1t? Or the current version which we have is safe. > > CVE-2016-0701, CVE-2015-3197 > > CVE-2015-4000 > > CVE-2015-0204 > > CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288 > > CVE-2015-0292, CVE-2014-8176https://access.redhat.com/security/cve/CVE-2016-0701 substitute the other CVE numbers for the rest, also: https://access.redhat.com/security/cve/CVE-2015-3197 (and so on) So, Red Hat says CVE-2016-0701 does not impact any releases (no updates), and if you look at the CVE-2015-3197, it lists all the applicable updates. If you check all the CVE's in question, you can find out all your answers. CentOS has a CentOS-announce mailing list where you can see our released updates: https://lists.centos.org/pipermail/centos-announce/ For example, CVE-2015-3197 lists 'RHSA-2016:0301' on '2016-03-01', so to see if CentOS released an update .. click on the March 2016 link and then you will see this: https://lists.centos.org/pipermail/centos-announce/2016-March/thread.html And on that page, you can find 2016:0301 for CentOS-6 .. it leads to this link: https://lists.centos.org/pipermail/centos-announce/2016-March/021712.html So, if you have openssl-1.0.1e-42.el6_7.4 or later, it has the changes rolled in for that CVE, etc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160512/e2edf015/attachment-0001.sig>