RE: Vulnerable Openssl version remains & got activated after update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You need to download the i686 RPM as well and upgrade that as well.

Try running your RPM query with a specific format:

rpm -q --qf "%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}\n" openssl

David.
________________________________
--
David Grierson<https://confluence.bskyb.com/display/~DGR02/> – SDLC Tools Specialist
Sky Broadcasting - Customer Business Systems - SDLC Tools
Email: David.Grierson@xxxxxxxxx<mailto:David.Grierson@xxxxxxxxx>
Watermark Building, Alba Campus, Livingston, EH54 7HH

From: Sunhux G [mailto:sunhux@xxxxxxxxx]
Sent: 13 June 2014 14:24
To: Grierson, David
Cc: General Red Hat Linux discussion list
Subject: Re: Vulnerable Openssl version remains & got activated after update


Thanks.

>From "rpm -qa |grep ssl" output, there's no "i686" suffix:
openssl-0.9.8e-22.el5

I'll attempt anyway but should I use "rpm -ivh ..." or
"rpm -Uvh ..."   this time?

SH

On Fri, Jun 13, 2014 at 9:03 PM, Grierson, David <David.Grierson@xxxxxxxxx<mailto:David.Grierson@xxxxxxxxx>> wrote:
You only appear to have upgraded the x86_64 RPMs for the new version - maybe you've still got the i686 version of the RPM's installed as well?

For example on my internal RHEL5 system:

$ rpm -q --qf "%{NAME}-%{VERSION}.%{RELEASE}.%{ARCH}\n" openssl
openssl-0.9.8e.22.el5_8.3.x86_64
openssl-0.9.8e.22.el5_8.3.i686

Dg.
--
David Grierson - SDLC Tools Specialist
Sky Broadcasting - Customer Business Systems - SDLC Tools
Email: David.Grierson@xxxxxxxxx<mailto:David.Grierson@xxxxxxxxx>
Watermark Building, Alba Campus, Livingston, EH54 7HH


> -----Original Message-----
> From: redhat-list-bounces@xxxxxxxxxx<mailto:redhat-list-bounces@xxxxxxxxxx> [mailto:redhat-list-<mailto:redhat-list->
> bounces@xxxxxxxxxx<mailto:bounces@xxxxxxxxxx>] On Behalf Of Sunhux G
> Sent: 13 June 2014 13:49
> To: General Red Hat Linux discussion list
> Subject: Vulnerable Openssl version remains & got activated after update
>
> Hello
>
> I'm sure my rpms are not corrupted (MD5 checksummed)
> as I got them from RHN:
> 1,525,631bytes openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> 1,952,684bytes openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
>
> Faced an issue after updating above Openssl & its devel rpm:
>  the updated version of Openssl "adds on" instead of  replacing the
> current
> old version & the RHN's perl script still report it as vulnerable. Any
> concern
> if I forcefully delete (ie "rpm -e --nodeps") the vulnerable Openssl rpm
> openssl-0.9.8e-22.el5 ?
>
> What to do next to address this vulnerable Openssl?
>
>
> # ls *cg*
> opswgw-cgws1-RCLOUDMMM
> # ./opswgw-cgws1-RCLOUDMMM stop  # <==this service uses OpenSSL Stopping
> opswgw: .
>
> # rpm -qa |grep ssl   # verify the current old version
> openssl-0.9.8e-22.el5
> openssl-devel-0.9.8e-22.el5
> openssl-devel-0.9.8e-22.el5
> OPSWopenssl-0.9.8g-1
> docbook-style-dsssl-1.79-4.1
>
> # rpm -Uvh ./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> ./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm
> Preparing...                ###########################################
> [100%]
>         file /etc/pki/tls/certs/ca-bundle.crt from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686
>         file /usr/share/man/man1/ca.1ssl.gz from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686
>         file /usr/share/man/man1/req.1ssl.gz from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686
>         file /usr/share/man/man1/x509.1ssl.gz from install of
> openssl-0.9.8e-27.el5_10.3.x86_64 conflicts with file from package
> openssl-0.9.8e-22.el5.i686 # # rpm -Uvh
> ./openssl-0.9.8e-27.el5_10.3.x86_64.rpm
> ./openssl-devel-0.9.8e-27.el5_10.3.x86_64.rpm --replacefiles
> Preparing...                ###########################################
> [100%]
>    1:openssl                ########################################### [
> 50%]
>    2:openssl-devel          ###########################################
> [100%]
>
>
> # rpm -qa |grep -i ssl
> openssl-0.9.8e-27.el5_10.3      # <== new version created
> openssl-0.9.8e-22.el5             # <== old version still there
> OPSWopenssl-0.9.8g-1
> openssl-devel-0.9.8e-27.el5_10.3      #<== this devel rpm got updated ok
> docbook-style-dsssl-1.79-4.1
> pyOpenSSL-0.6-2.el5
>
> # rpm -e openssl-0.9.8e-22.el5
> error: Failed dependencies:
>         libcrypto.so.6 is needed by (installed)
> nspluginwrapper-1.3.0-9.el5.i386
>         libcrypto.so.6 is needed by (installed) neon-0.25.5-
> 10.el5_4.1.i386
>         libcrypto.so.6 is needed by (installed) pam_ccreds-3-5.i386
>       . . . & many other dependencies . . .
>
> # ./opswgw-cgws1-RCLOUDMMM start
> Starting opswgw:                                           [  OK  ]
> tcp        0      0 0.0.0.0:443<http://0.0.0.0:443>                 0.0.0.0:*
> LISTEN      14914/[opswgw-gatew off (0.00/0/0)
> # ps -ef |grep 14914
> opswgw   14914 14913  0 10:27 ?        00:00:00
> [opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
> /etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
> /opt/opsware/opswgw/bin/opswgw --Child true
>
> ./opswgw-cgws1-RCLOUDMMM start
> Starting opswgw:                                           [  OK  ]
> # netstat -anop |grep ":443 " |grep -i listen
> tcp        0      0 0.0.0.0:443<http://0.0.0.0:443>                 0.0.0.0:*
> LISTEN      14914/[opswgw-gatew off (0.00/0/0)
>
> # ps -ef |grep 14914
> opswgw   14914 14913  0 10:27 ?        00:00:00
> [opswgw-gateway-45.0.3991.0: cgws1-RCLOUDMMM] --PropertiesFile
> /etc/opt/opsware/opswgw-cgws1-RCLOUDMMM/opswgw.properties --BinPath
> /opt/opsware/opswgw/bin/opswgw --Child true
> root     14992  7088  0 10:28 pts/1    00:00:00 grep 14914
> #
> # ./opswgw-cgws1-RCLOUDMMM start
> # cd /root
> # ./ fake-client-early-ccs.pl<http://fake-client-early-ccs.pl> localhost 443 Got server response, size:
> 2953
> - Handshake - Server Hello
> - Handshake - Certificate
> - Handshake - Server Key Exhange
> - Handshake - Server Hello Done
> FAIL Remote host is affected
>
> # openssl version
> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> [root@MPLSADB02 ~]# rpm -qa |grep -i fips
> fipscheck-1.2.0-1.el5
>
>
> SH
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx<mailto:redhat-list-request@xxxxxxxxxx>?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list





[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux