On Thu, 31 Oct 2013 11:26:52 -0500
Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
> On Thu, Oct 31, 2013 at 10:50 AM, Kaplan, Andrew H.
> <AHKAPLAN@xxxxxxxxxxxx> wrote:
> > Hello --
> >
> > We are running CentOS 6.3 64-bit distribution on one of our
> > servers, and I am involved in upgrading the Apache and OpenSSL
> > packages. I completed an upgrade to both where the version of each
> > that is installed on the server is the following:
> >
> > httpd 2.2.15-29.el6.centos
> > httpd-manual 2.2.15-29.el6.centos
> > httpd-tools 2.2.15-29.el6.centos
> > openssl 1.0.0-27.el6_4.2
> > openssl-devel 1.0.0-27.el6_4.2
> >
> > Are these the latest versions of Apache and OpenSSL that are
> > available to CentOS in package format? If not, what repository can
> > I go to for the latest versions?
>
> First, why aren't you doing a full 'yum update' to bring the whole
> system up to 6.4?
>
> Also, are you updating these packages to get new features or
> bug/security fixes? CentOS tracks the updates in RHEL exactly and
> RHEL backports many security and bug fixes without changing the base
> package version numbers. You can see these with:
> rpm -q --changelog package_name
> where the CVE numbers will be mentioned, if you are checking for some
> particular security issue.
>
> If you need new features, you may have to go to newer versions found
> elsewhere, but be very careful about replacing any base packages in
> your system - it is almost always the wrong thing to do. You need to
> know more about Linux than the Red Hat engineers...
>
One other thing regarding the OpenSSL packages in 6.4, they do not
currently support TLS 1.2 and are stuck on TLS 1.0 so may be less
secure. [1]
However, Redhat is aware of this and 6.5 will be updating OpenSSL to a
more recent version which will support TLS 1.2 and solve most current
known security problems. [2]
So I'd suggest stick with the 6.4 packages for now, and once 6.5 is out
upgrade to those.
(For a while the last secure cipher in current OpenSSL in CentOS/RHEL
was RC4, however even that is now considered not so secure and should
be phased out. [1])
Also, may be worth doing a full upgrade to 6.4 then to 6.5 to ensure
any other hidden security issues are not lurking due to an out of date
package.
[1] https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
[2] https://www.redhat.com/about/news/archive/2013/10/latest-beta-release-of-red-hat-enterprise-linux-6-now-available
--
Jake Shipton (JakeMS)
GPG Key: 0xE3C31D8F
GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
