Article 12687 at 08/04/26 15:02:35 From: bq (at mark) solarspeed.net Subject: [coba-e:12687] Re: openssl version

Index: [Article Count Order] [Thread]
Date:  Sat, 26 Apr 2008 07:02:02 +0100
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:12687] Re: openssl version
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200804260802.03090.bq (at mark) solarspeed.net>
In-Reply-To:  <028301c8a721$cc75ca10$6601a8c0@OfficeKen>
References:  <59460.12793.qm (at mark) web63808.mail.re1.yahoo.com> <028301c8a721$cc75ca10$6601a8c0 (at mark) OfficeKen>
X-Mail-Count: 12687

Hi Ken,

> It loosk like bluequartz runs:
> openssl version -a
> OpenSSL 0.9.7a Feb 19 2003
>
> >From the people that scan my servers I received this warning:
>
> Description
> The remote host appears to be using a version of OpenSSL which is older
> than 0.9.6j or 0.9.7b.
>
> This version is vulnerable to a timing based attack which may allow an
> attacker to guess the content of fixed data blocks (such as passwords or
> credit card number).

A fully yum updated BlueQuartz runs "openssl-0.9.7a-43.17.el4_6.1". Which is 
like the 60th release of OpenSSL-0.9.6a with all the RedHat patches applied.

When you check the changelog for it (use: rpm -q --changelog openssl ) and 
compare it with http://www.openssl.org/news/vulnerabilities.html, then you'll 
notice that it has patches for pretty much all vulnerabilities that OpenSSL 
list on that page - and then some.

Whenever CentOS, RedHat or Fedora and many other distributors of RPM based 
Linux distributions release patches for their brand of Linux, they almost 
always keep the version number of the RPMs the same. Just the RELEASE number 
increases. But the release number is usually only visible if you're really 
looking "under the hood" (i.e.: check the RPM database) and that info may not 
be easily transparent for onlookers from the outside. To them it may look 
like a stock "openssl-0.9.7a" in this case, which it isn't. So no worries.

Changelog, just showing date, packager, version and release info:
[root (at mark) sword /]# rpm -q --changelog openssl|grep ^*|grep "0.9.7a"
* Di Okt 23 2007 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.17.1
* Fr Aug 03 2007 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.17
* Fr Jan 12 2007 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.16
* Di Okt 03 2006 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.15
* Fr Sep 29 2006 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.14
* Mi Sep 06 2006 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.11
* Sa Apr 22 2006 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.10
* Do Apr 20 2006 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.9
* Do Jan 12 2006 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.8
* Di Nov 29 2005 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.6
* Fr Nov 25 2005 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.5
* Fr Okt 07 2005 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.4
* Fr Aug 12 2005 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-43.3
* Fr Mai 20 2005 Tomas Mraz <tmraz (at mark) redhat.com> 0.9.7a-43.2
* Fr Dez 03 2004 Jeremy Katz <katzj (at mark) redhat.com> - 0.9.7a-43.1
* Fr Nov 19 2004 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-43
* Fr Nov 19 2004 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-42
* Fr Nov 19 2004 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-41
* Mi Okt 06 2004 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-40
* Di Jun 15 2004 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-38
* Di Jun 08 2004 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-37
* Mi Mai 26 2004 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-36
* Do M� 25 2004 Joe Orton <jorton (at mark) redhat.com> 0.9.7a-35
* Mi M� 10 2004 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-34
* Mi M� 10 2004 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-33
* Do Feb 26 2004 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-32
* Di Feb 17 2004 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-31
* Fr Feb 13 2004 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-29
* Mi Feb 11 2004 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-28
* Mi Feb 04 2004 Joe Orton <jorton (at mark) redhat.com> 0.9.7a-27
* So Nov 30 2003 Tim Waugh <twaugh (at mark) redhat.com> 0.9.7a-26
* Sa Okt 25 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-25
* Sa Okt 25 2003 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-24
* So Okt 05 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-22.1
* Do Okt 02 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-22
* Mi Okt 01 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-23
* Mi Okt 01 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-22
* Di Sep 30 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-21
* Do Sep 25 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-20
* Do Sep 18 2003 Matt Wilson <msw (at mark) redhat.com> 0.9.7a-19
* Di Aug 26 2003 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-18
* Fr Jul 18 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-17
* Mi Jul 16 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-10.9
* Fr Jul 11 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-16
* Fr Jul 11 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-15
* Mi Jul 09 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-14
* Fr Jun 27 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-13
* Fr Jun 27 2003 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-12
* Do Jun 12 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-9.9
* Do Jun 12 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-11
* Mi Jun 11 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-10
* Mi Jun 11 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-9
* Do Jun 05 2003 Elliot Lee <sopwith (at mark) redhat.com> 0.9.7a-8
* Sa Mai 31 2003 Phil Knirsch <pknirsch (at mark) redhat.com> 0.9.7a-7
* Do Apr 17 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-6
* Mi M� 19 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-5
* Mo M� 17 2003 Nalin Dahyabhai <nalin (at mark) redhat.com>  0.9.7a-4
* Mi M� 05 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-3
* Do Feb 27 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-2
* Mi Feb 19 2003 Nalin Dahyabhai <nalin (at mark) redhat.com> 0.9.7a-1

Line count to see how many patches were applied to the stock OpenSSL-0.9.7a:
[root (at mark) sword /]# rpm -q --changelog openssl|grep ^*|grep "0.9.7a"|wc -l
60

> Is there a way to update it?

Yes, it's of course possible to substitute or replace OpenSSL with a custom 
built OpenSSL (although some applications may be statically compiled against 
the onboard OpenSSL and need a recompile, too). But then you'll have to keep 
an eye on future OpenSSL vulnerabilities and will have to repeat the 
substitution every time your manually updated OpenSSL is found vulnerable. 

But as CentOS appears to do a pretty good job with patching OpenSSL you don't 
have to do that.

-- 
With best regards,

Michael Stauber