Hello --
We are running CentOS 6.3 64-bit distribution on one of our servers, and I am involved in upgrading the Apache and OpenSSL packages. I completed an upgrade to both where the version of each that is installed on the server is the following:
httpd 2.2.15-29.el6.centos httpd-manual 2.2.15-29.el6.centos httpd-tools 2.2.15-29.el6.centos openssl 1.0.0-27.el6_4.2 openssl-devel 1.0.0-27.el6_4.2
Are these the latest versions of Apache and OpenSSL that are available to CentOS in package format? If not, what repository can I go to for the latest versions?
Thanks.
The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.
On Thu, Oct 31, 2013 at 10:50 AM, Kaplan, Andrew H. AHKAPLAN@partners.org wrote:
Hello --
We are running CentOS 6.3 64-bit distribution on one of our servers, and I am involved in upgrading the Apache and OpenSSL packages. I completed an upgrade to both where the version of each that is installed on the server is the following:
httpd 2.2.15-29.el6.centos httpd-manual 2.2.15-29.el6.centos httpd-tools 2.2.15-29.el6.centos openssl 1.0.0-27.el6_4.2 openssl-devel 1.0.0-27.el6_4.2
Are these the latest versions of Apache and OpenSSL that are available to CentOS in package format? If not, what repository can I go to for the latest versions?
First, why aren't you doing a full 'yum update' to bring the whole system up to 6.4?
Also, are you updating these packages to get new features or bug/security fixes? CentOS tracks the updates in RHEL exactly and RHEL backports many security and bug fixes without changing the base package version numbers. You can see these with: rpm -q --changelog package_name where the CVE numbers will be mentioned, if you are checking for some particular security issue.
If you need new features, you may have to go to newer versions found elsewhere, but be very careful about replacing any base packages in your system - it is almost always the wrong thing to do. You need to know more about Linux than the Red Hat engineers...
On Thu, 31 Oct 2013 11:26:52 -0500 Les Mikesell lesmikesell@gmail.com wrote:
On Thu, Oct 31, 2013 at 10:50 AM, Kaplan, Andrew H. AHKAPLAN@partners.org wrote:
Hello --
We are running CentOS 6.3 64-bit distribution on one of our servers, and I am involved in upgrading the Apache and OpenSSL packages. I completed an upgrade to both where the version of each that is installed on the server is the following:
httpd 2.2.15-29.el6.centos httpd-manual 2.2.15-29.el6.centos httpd-tools 2.2.15-29.el6.centos openssl 1.0.0-27.el6_4.2 openssl-devel 1.0.0-27.el6_4.2
Are these the latest versions of Apache and OpenSSL that are available to CentOS in package format? If not, what repository can I go to for the latest versions?
First, why aren't you doing a full 'yum update' to bring the whole system up to 6.4?
Also, are you updating these packages to get new features or bug/security fixes? CentOS tracks the updates in RHEL exactly and RHEL backports many security and bug fixes without changing the base package version numbers. You can see these with: rpm -q --changelog package_name where the CVE numbers will be mentioned, if you are checking for some particular security issue.
If you need new features, you may have to go to newer versions found elsewhere, but be very careful about replacing any base packages in your system - it is almost always the wrong thing to do. You need to know more about Linux than the Red Hat engineers...
One other thing regarding the OpenSSL packages in 6.4, they do not currently support TLS 1.2 and are stuck on TLS 1.0 so may be less secure. [1]
However, Redhat is aware of this and 6.5 will be updating OpenSSL to a more recent version which will support TLS 1.2 and solve most current known security problems. [2]
So I'd suggest stick with the 6.4 packages for now, and once 6.5 is out upgrade to those.
(For a while the last secure cipher in current OpenSSL in CentOS/RHEL was RC4, however even that is now considered not so secure and should be phased out. [1])
Also, may be worth doing a full upgrade to 6.4 then to 6.5 to ensure any other hidden security issues are not lurking due to an out of date package.
[1] https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-bro... [2] https://www.redhat.com/about/news/archive/2013/10/latest-beta-release-of-red...
-
Jake Shipton -
Kaplan, Andrew H. -
Les Mikesell