Another set of OpenSSL Bugs discovered. Upgrade OpenSSL on your CentOS Linux servers!

Posted by Curtis K in Announcements, CentOS 5, CentOS 6, Security Jun, 06 2014 4 Comments

A new set of bugs have been identified and patched in OpenSSL. The following new bugs have been patched in the latest release of OpenSSL:

  • CVE-2010-5298 – possible use of memory after free
  • CVE-2014-0195 – buffer overflow via invalid DTLS fragment
  • CVE-2014-0198 – possible NULL pointer dereference
  • CVE-2014-0221 – DoS from invalid DTLS handshake packet
  • CVE-2014-0224 – SSL/TLS MITM vulnerability
  • CVE-2014-3470 – client-side DoS when using anonymous ECDH

See the original OpenSSL announcement here.

1. Identifying vulnerable version

  • CentOS 5: OpenSSL 0.9.8 versions before openssl-0.9.8e-27 are vulnerable
  • CentOS 6: OpenSSL 1.0.1 versions before openssl-1.0.1e-16 are vulnerable

To identify your installed version of OpenSSL, enter the following command:

rpm -qa openssl

 

2. How to update OpenSSL

To update OpenSSL, issue the following yum command:

yum clean all && yum update "openssl-*" -y

 

3. Post-update actions

After updating OpenSSL, ensure that all services that use OpenSSL or have OpenSSL files are restarted. To find processes that have old OpenSSL files open, run the following command:

lsof | grep DEL | grep ssl

Examples of processes that may still have the old OpenSSL files open:

  • mysql
  • postfix
  • webmin
  • openvpn
  • osad
  • nrpe
Tags With:
Share This Post

About Author: Curtis K

Hi! My name is Curtis, and I am the author of CentOS Blog. Please feel free to comment with any suggestions, feedback or questions!