Another set of OpenSSL Bugs discovered. Upgrade OpenSSL on your CentOS Linux servers!

A new set of bugs have been identified and patched in OpenSSL. The following new bugs have been patched in the latest release of OpenSSL:

  • CVE-2010-5298 – possible use of memory after free
  • CVE-2014-0195 – buffer overflow via invalid DTLS fragment
  • CVE-2014-0198 – possible NULL pointer dereference
  • CVE-2014-0221 – DoS from invalid DTLS handshake packet
  • CVE-2014-0224 – SSL/TLS MITM vulnerability
  • CVE-2014-3470 – client-side DoS when using anonymous ECDH

See the original OpenSSL announcement here.

1. Identifying vulnerable version

  • CentOS 5: OpenSSL 0.9.8 versions before openssl-0.9.8e-27 are vulnerable
  • CentOS 6: OpenSSL 1.0.1 versions before openssl-1.0.1e-16 are vulnerable

To identify your installed version of OpenSSL, enter the following command:

rpm -qa openssl


2. How to update OpenSSL

To update OpenSSL, issue the following yum command:

yum clean all && yum update "openssl-*" -y


3. Post-update actions

After updating OpenSSL, ensure that all services that use OpenSSL or have OpenSSL files are restarted. To find processes that have old OpenSSL files open, run the following command:

lsof | grep DEL | grep ssl

Examples of processes that may still have the old OpenSSL files open:

  • mysql
  • postfix
  • webmin
  • openvpn
  • osad
  • nrpe
Scan to Donate Bitcoin
Like this? Donate Bitcoin to at:
Bitcoin 14M4a7UHEX61VoHkyjj4dxbUBNGGz3hmhM
Share This Post

About Author: Curtis K

Hi! My name is Curtis, and I am the creator of CentOS Blog. Please feel free to comment any suggestions, feedback or questions on my posts!

  • korea


    My server information.
    Version : 0.9.8e
    Release : 27.el5_10.3

    Do not have a problem?

    Does the above information can be ignored?


  • trauma2u

    Hard to make *my managers* understood that 0.9.8e-27 works the same with 0.9.8za. Sigh…

  • Todd

    After updating to ‘openssl-0.9.8e-27.el5_10.4’, I ran ‘rpm -q –changelog openssl | grep CVE’ and not all of the aformentioned CVE’s are listed as fixed (specifically only 2014-0221 and 2014-0224 show up).

    Is there a means by which I could get an authoritative confirmation of this updates resolution for items: CVE-2014-0195,CVE-2014-0198,CVE-2014-3470,CVE-2014-0076,CVE-2010-5298?

    Thank you

  • Todd

    Apologies I believe I’ve answered my own question after searching a bit further with “ CVE-xxxx-xxxx”. It seems that each of the CVE’s that I listed were identified by Red Hat as not affecting the openssl version shipped with RHEL 5, which seems like a sensible reason for them not to be included in the changelog as fixes.