A new set of bugs have been identified and patched in OpenSSL. The following new bugs have been patched in the latest release of OpenSSL:
- CVE-2010-5298 – possible use of memory after free
- CVE-2014-0195 – buffer overflow via invalid DTLS fragment
- CVE-2014-0198 – possible NULL pointer dereference
- CVE-2014-0221 – DoS from invalid DTLS handshake packet
- CVE-2014-0224 – SSL/TLS MITM vulnerability
- CVE-2014-3470 – client-side DoS when using anonymous ECDH
See the original OpenSSL announcement here.
1. Identifying vulnerable version
- CentOS 5: OpenSSL 0.9.8 versions before openssl-0.9.8e-27 are vulnerable
- CentOS 6: OpenSSL 1.0.1 versions before openssl-1.0.1e-16 are vulnerable
To identify your installed version of OpenSSL, enter the following command:
rpm -qa openssl
2. How to update OpenSSL
To update OpenSSL, issue the following yum command:
yum clean all && yum update "openssl-*" -y
3. Post-update actions
After updating OpenSSL, ensure that all services that use OpenSSL or have OpenSSL files are restarted. To find processes that have old OpenSSL files open, run the following command:
lsof | grep DEL | grep ssl
Examples of processes that may still have the old OpenSSL files open:
- mysql
- postfix
- webmin
- openvpn
- osad
- nrpe