Re: Security implications of openssl098e on CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 21 Oct 2015 20:58, Nick Bright <nick.bright@...> wrote:

On 10/21/2015 1:55 PM, Andrew Holway wrote:
Personally I would go round to that particular vendors office with a pipe
wrench and encourage them to do better however, unless this software is
transmitting credit card information then it seems that you could be
safe(ish) from the regulation standpoint. It really depends on the location
of the machine. Is it deep in the bowels of your high security nuclear
bunker on an air gap network or is is merrily accepting incoming traffic
from China? Is the software is using an appropriate SELinux policy or is it
running unconfined or with SELinux turned off?

It seems the PCI-DSS describe a set of simple rules to get IT managers
thinking but they are somewhat open to interpretation. Are you abiding to
the spirit of the regulations?
The particular software requiring 0.9.8 is performing backups of the system to a remote data center.

My concern is that, with the compatibility package installed, could this present vulnerabilities or compliance problems in Apache?

TL;DR: Preload openssl from non-standard location for closed-source app only.

Hmm, how about taking the content of the openssl098e package, put
it into a directory relative to the closed source software (e.g. /opt),
and create a wrapper script, similar to the following example:

[code]
#!/usr/bin/bash
# This is a wrapper for app to use openssl 0.9.8 (unsafe)
# app is in /opt/app/
# app starter is /opt/app/bin/starter
# ssl098e libs are in /opt/openssl098/

export LD_LIBRARY_PATH=/opt/openssl098/
exec /opt/app/bin/starter ${1+"$@"}
# ${1+"$@"} expands only if at least $1 is present
[/code]

 YMMV

 - Yamaban.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux