Vulnerable Openssl version remains & got activated after update

Sunhux G sunhux at gmail.com
Fri Jun 13 13:23:43 UTC 2014 

Thanks.

>From "rpm -qa |grep ssl" output, there's no "*i*686" suffix:
openssl-0.9.8e-22.el5

I'll attempt anyway but should I use "rpm -ivh ..." or
"rpm -Uvh ..."   this time?

SH


On Fri, Jun 13, 2014 at 9:03 PM, Grierson, David <David.Grierson at bskyb.com>
wrote:

> You only appear to have upgraded the x86_64 RPMs for the new version -
> maybe you've still got the i686 version of the RPM's installed as well?
>
> For example on my internal RHEL5 system:
>
> $ rpm -q --qf "%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}\n" openssl
> openssl-0.9.8e.22.el5_8.3.x86_64
> openssl-0.9.8e.22.el5_8.3.i686
>
> Dg.
> --
> David Grierson - SDLC Tools Specialist
> Sky Broadcasting - Customer Business Systems - SDLC Tools
> Email: David.Grierson at bskyb.com
> Watermark Building, Alba Campus, Livingston, EH54 7HH
>
>
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > bounces at redhat.com] On Behalf Of Sunhux G
> > Sent: 13 June 2014 13:49
> > To: General Red Hat Linux discussion list
> > Subject: Vulnerable Openssl version remains & got activated after update
> >
> > Hello
> >
> > I'm sure my rpms are not corrupted (MD5 checksummed)
> > as I got them from RHN:
> > 1,525,631bytes openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> > 1,952,684bytes openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
> >
> > Faced an issue after updating above Openssl & its devel rpm:
> >  the updated version of Openssl "adds on" instead of  replacing the
> > current
> > old version & the RHN's perl script still report it as vulnerable. Any
> > concern
> > if I forcefully delete (ie "rpm -e --nodeps") the vulnerable Openssl rpm
> > openssl-0.9.8e-22.el5 ?
> >
> > What to do next to address this vulnerable Openssl?
> >
> >
> > # ls *cg*
> > opswgw-cgws1-RCLOUDMMM
> > # ./opswgw-cgws1-RCLOUDMMM stop  # <==this service uses OpenSSL Stopping
> > opswgw: .
> >
> > # rpm -qa |grep ssl   # verify the current old version
> > openssl-0.9.8e-22.el5
> > openssl-devel-0.9.8e-22.el5
> > openssl-devel-0.9.8e-22.el5
> > OPSWopenssl-0.9.8g-1
> > docbook-style-dsssl-1.79-4.1
> >
> > # rpm -Uvh ./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> > ./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
> > Preparing...                ###########################################
> > [100%]
> >         file /etc/pki/tls/certs/ca-bundle.crt from install of
> > openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> > openssl-0.9.8e-22.el5.i686
> >         file /usr/share/man/man1/ca.1ssl.gz from install of
> > openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> > openssl-0.9.8e-22.el5.i686
> >         file /usr/share/man/man1/req.1ssl.gz from install of
> > openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> > openssl-0.9.8e-22.el5.i686
> >         file /usr/share/man/man1/x509.1ssl.gz from install of
> > openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> > openssl-0.9.8e-22.el5.i686 # # rpm -Uvh
> > ./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> > ./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm --replacefiles
> > Preparing...                ###########################################
> > [100%]
> >    1:openssl                ########################################### [
> > 50%]
> >    2:openssl-devel          ###########################################
> > [100%]
> >
> >
> > # rpm -qa |grep -i ssl
> > openssl-0.9.8e-27.el5_10.3      # <== new version created
> > openssl-0.9.8e-22.el5             # <== old version still there
> > OPSWopenssl-0.9.8g-1
> > openssl-devel-0.9.8e-27.el5_10.3      #<== this devel rpm got updated ok
> > docbook-style-dsssl-1.79-4.1
> > pyOpenSSL-0.6-2.el5
> >
> > # rpm -e openssl-0.9.8e-22.el5
> > error: Failed dependencies:
> >         libcrypto.so.6 is needed by (installed)
> > nspluginwrapper-1.3.0-9.el5.i386
> >         libcrypto.so.6 is needed by (installed) neon-0.25.5-
> > 10.el5_4.1.i386
> >         libcrypto.so.6 is needed by (installed) pam_ccreds-3-5.i386
> >       . . . & many other dependencies . . .
> >
> > # ./opswgw-cgws1-RCLOUDMMM start
> > Starting opswgw:                                           [  OK  ]
> > tcp        0      0 0.0.0.0:443                 0.0.0.0:*
> > LISTEN      14914/[opswgw-gatew off (0.00/0/0)
> > # ps -ef |grep 14914
> > opswgw   14914 14913  0 10:27 ?        00:00:00
> > [opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
> > /etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
> > /opt/opsware/opswgw/bin/opswgw --Child true
> >
> > ./opswgw-cgws1-RCLOUDMMM start
> > Starting opswgw:                                           [  OK  ]
> > # netstat -anop |grep ":443 " |grep -i listen
> > tcp        0      0 0.0.0.0:443                 0.0.0.0:*
> > LISTEN      14914/[opswgw-gatew off (0.00/0/0)
> >
> > # ps -ef |grep 14914
> > opswgw   14914 14913  0 10:27 ?        00:00:00
> > [opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
> > /etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
> > /opt/opsware/opswgw/bin/opswgw --Child true
> > root     14992  7088  0 10:28 pts/1    00:00:00 grep 14914
> > #
> > # ./opswgw-cgws1-RCLOUDMMM start
> > # cd /root
> > # ./ fake-client-early-ccs.pl localhost 443 Got server response, size:
> > 2953
> > - Handshake - Server Hello
> > - Handshake - Certificate
> > - Handshake - Server Key Exhange
> > - Handshake - Server Hello Done
> > FAIL Remote host is affected
> >
> > # openssl version
> > OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> > [root at MPLSADB02 ~]# rpm -qa |grep -i fips
> > fipscheck-1.2.0-1.el5
> >
> >
> > SH
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of British Sky Broadcasting Group plc and Sky International AG
> and are used under licence. British Sky Broadcasting Limited (Registration
> No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and
> Sky Subscribers Services Limited (Registration No. 2340150) are direct or
> indirect subsidiaries of British Sky Broadcasting Group plc (Registration
> No. 2247735). All of the companies mentioned in this paragraph are
> incorporated in England and Wales and share the same registered office at
> Grant Way, Isleworth, Middlesex TW7 5QD.
>

More information about the redhat-list mailing list