How to Update Openssl to a Fixed Release against HeartBleed on Enterprise Linux 6.4

Openssl announced a vulnerability (CVE-2014-0160) in the handling of the TLS heartbeat extension on April 7th, 2014. Version 1.0.1 before 1.0.1g and 1.0.2 before 1.0.2 beta2 are affected, and the bug is fixed in 1.01g and 1.0.2 beta2.

Openssl provids another way beside update is to recompile the package:

For most Enterprise Linux 6.4 and 6.5 administrators, they are still in 1.0.1e and it can be updated to a fixed release 1.0.1e-16.el6_5.7 to avoid the flaw.

Let's check the server before updating:

[root@test ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.4 .x86_64

See what update version we have in repository now:

[root@test ~]# yum info openssl
...
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 16.el6_5.4
Size        : 4.0 M
Repo        : installed
From repo   : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
            : between machines. OpenSSL includes a certificate management tool
            : and shared libraries which provide various cryptographic
            : algorithms and protocols.

Available Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 16.el6_5.7
Size        : 1.5 M
Repo        : updates
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
            : between machines. OpenSSL includes a certificate management tool
            : and shared libraries which provide various cryptographic
            : algorithms and protocols.

OK, there is a fixed release 16.el6_5.7 can be updated.

[root@test ~]# yum update openssl
...
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.4 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package         Arch           Version                   Repository       Size
================================================================================
Updating:
 openssl         x86_64         1.0.1e-16.el6_5.7         updates         1.5 M

Transaction Summary
================================================================================
Upgrade       1 Package(s)

Total download size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
openssl-1.0.1e-16.el6_5.7.x86_64.rpm                     | 1.5 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : openssl-1.0.1e-16.el6_5.7.x86_64                             1/2
  Cleanup    : openssl-1.0.1e-16.el6_5.4.x86_64                             2/2
  Verifying  : openssl-1.0.1e-16.el6_5.7.x86_64                             1/2
  Verifying  : openssl-1.0.1e-16.el6_5.4.x86_64                             2/2

Updated:
  openssl.x86_64 0:1.0.1e-16.el6_5.7

Complete!

Verify the fixed release.

[root@test ~]# rpm -q openssl
openssl-1.0.1e-16.el6_5.7 .x86_64

Now, we are done. Don't forget to reissue your certificate after that.

Leave a Reply

Your email address will not be published. Required fields are marked *