On 06/09/2014 07:11 AM, John R Pierce wrote: > On 6/9/2014 4:15 AM, srikanth chakravarthula wrote: >> Can we upgrade the OpenSSL version on earlier CentOS Versions 6.2/6.3/6.4 >> with the latest Openssl version which has all the latest openssl >> vulnerability fixes from Cent OS repo. > 6.2, 6.3, 6.4 are not centos 'versions', the version is CentOS 6.. 6.2 > etc are just snapshots of the state of it at that point in time with no > further patches. > > yes, you probably can just install openssl updates, yum update > openssl... but such a mix of older packages with newer isn;t 100% > tested (there's far too many possible combinations to test). This is exactly correct ... if you are running 6.2, 6.3, or 6.4 then you are missing very many security updates .. many of them critical. There is no mechanism to get CentOS security updates unless you stay on the main tree. Some other distros will tell you that they offer security updates with the older trees, except that is not how Red Hat tested those released updates, so there is no way to verify that those updates fix the problem with older packages from 6.2, 6.3, 6.4, etc. installed. If you look at the Red Hat advisory, you can see that it clearly says this: "Before applying this update, make sure all previously released errata relevant to your system have been applied." See the Solution section here: https://rhn.redhat.com/errata/RHSA-2014-0376.html So even in RHEL there is no way to install that openssl on and older branch and have a reasonable expectation that the all security issues (or even that security issue) is fixed. Anyone that says otherwise does not understand the potential issues of running older shared libraries with items. Red Hat does have both an AUS and an EUS channel to address these issues ... security updates for older versions of RHEL. For example here is the errata for that a newer openssl: https://rhn.redhat.com/errata/RHSA-2014-0627.html If you look, there is openssl-1.0.0-20.el6_2.7.src.rpm, openssl-1.0.0-25.el6_3.3.src.rpm, openssl-1.0.0-27.el6_4.4.src.rpm .. but Red Hat has never publicly released the EUS/AUS sources. Therefore CentOS has never built them. But even with those updates, you need to install all the other updates within that channel (RHEL-6.2 AUS, etc.) before you are sure to have the tested solution for the security issue. If you want security inside older trees, you have to build the updates against those trees and test them yourself ... and it STILL might not be secure. Personally, I would say if you want older versions with security, you need to be on one of the RHEL AUS/EUS channels. That said. you can point to the 6/updates tree and do a yum update openssl and it will pull in only the things it needs to update to make that install ... that does not mean you are secure however.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos