Vulnerable Openssl version remains & got activated after update
Sunhux G
sunhux at gmail.com
Fri Jun 13 12:49:11 UTC 2014
Hello
I'm sure my rpms are not corrupted (MD5 checksummed)
as I got them from RHN:
1,525,631bytes openssl-0.9.8e-27.el5_10.3.x86_64.rpm
1,952,684bytes openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
Faced an issue after updating above Openssl & its devel rpm:
the updated version of Openssl "adds on" instead of replacing the current
old version & the RHN's perl script still report it as vulnerable. Any
concern
if I forcefully delete (ie "rpm -e --nodeps") the vulnerable Openssl rpm
openssl-0.9.8e-22.el5 ?
What to do next to address this vulnerable Openssl?
# ls *cg*
opswgw-cgws1-RCLOUDMMM
# ./opswgw-cgws1-RCLOUDMMM stop # <==this service uses OpenSSL Stopping
opswgw: .
# rpm -qa |grep ssl # verify the current old version
openssl-0.9.8e-22.el5
openssl-devel-0.9.8e-22.el5
openssl-devel-0.9.8e-22.el5
OPSWopenssl-0.9.8g-1
docbook-style-dsssl-1.79-4.1
# rpm -Uvh ./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
Preparing... ###########################################
[100%]
file /etc/pki/tls/certs/ca-bundle.crt from install of
openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
openssl-0.9.8e-22.el5.i686
file /usr/share/man/man1/ca.1ssl.gz from install of
openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
openssl-0.9.8e-22.el5.i686
file /usr/share/man/man1/req.1ssl.gz from install of
openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
openssl-0.9.8e-22.el5.i686
file /usr/share/man/man1/x509.1ssl.gz from install of
openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
openssl-0.9.8e-22.el5.i686 # # rpm -Uvh
./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm --replacefiles
Preparing... ###########################################
[100%]
1:openssl ########################################### [
50%]
2:openssl-devel ###########################################
[100%]
# rpm -qa |grep -i ssl
openssl-0.9.8e-27.el5_10.3 # <== new version created
openssl-0.9.8e-22.el5 # <== old version still there
OPSWopenssl-0.9.8g-1
openssl-devel-0.9.8e-27.el5_10.3 #<== this devel rpm got updated ok
docbook-style-dsssl-1.79-4.1
pyOpenSSL-0.6-2.el5
# rpm -e openssl-0.9.8e-22.el5
error: Failed dependencies:
libcrypto.so.6 is needed by (installed)
nspluginwrapper-1.3.0-9.el5.i386
libcrypto.so.6 is needed by (installed) neon-0.25.5-10.el5_4.1.i386
libcrypto.so.6 is needed by (installed) pam_ccreds-3-5.i386
. . . & many other dependencies . . .
# ./opswgw-cgws1-RCLOUDMMM start
Starting opswgw: [ OK ]
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN 14914/[opswgw-gatew off (0.00/0/0)
# ps -ef |grep 14914
opswgw 14914 14913 0 10:27 ? 00:00:00
[opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
/etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
/opt/opsware/opswgw/bin/opswgw --Child true
./opswgw-cgws1-RCLOUDMMM start
Starting opswgw: [ OK ]
# netstat -anop |grep ":443 " |grep -i listen
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN 14914/[opswgw-gatew off (0.00/0/0)
# ps -ef |grep 14914
opswgw 14914 14913 0 10:27 ? 00:00:00
[opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
/etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
/opt/opsware/opswgw/bin/opswgw --Child true
root 14992 7088 0 10:28 pts/1 00:00:00 grep 14914
#
# ./opswgw-cgws1-RCLOUDMMM start
# cd /root
# ./ fake-client-early-ccs.pl localhost 443 Got server response, size: 2953
- Handshake - Server Hello
- Handshake - Certificate
- Handshake - Server Key Exhange
- Handshake - Server Hello Done
FAIL Remote host is affected
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
[root at MPLSADB02 ~]# rpm -qa |grep -i fips
fipscheck-1.2.0-1.el5
SH
More information about the redhat-list
mailing list