Send CentOS-announce mailing list submissions to centos-announce at centos.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-request at centos.org You can reach the person managing the list at centos-announce-owner at centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CVE-2014-0160 CentOS 6 openssl heartbleed workaround (Karanbir Singh) 2. CESA-2014:0376 Important CentOS 6 openssl Update (Karanbir Singh) ---------------------------------------------------------------------- Message: 1 Date: Tue, 08 Apr 2014 03:11:01 +0100 From: Karanbir Singh <kbsingh at centos.org> Subject: [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround To: CentOS Announcements List <centos-announce at centos.org> Message-ID: <53435AB5.8050605 at centos.org> Content-Type: text/plain; charset=ISO-8859-1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Earlier in the day today, we were made aware of a serious issue in openssl as shipped in CentOS-6.5 ( including updates issued since CentOS-6.5 was released ); This issue is addressed in detail at http://heartbleed.com/ Upstream have not released a patched version of openssl, although we are reliably informed that there is quite a bit of effort ongoing to release a patched package soon. As an interim workaround, we are releasing packages that disable the exploitable code using the published workaround( tls heartbeat ); Note that these packages do not resolve the issue, they merely disable the feature that is being exploited. i386: 58ac5c57e0bcc3a34434973244ddb5eaf1323ef4ff1341f8ad78ec722a794238 openssl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm b4413e3509647ca7ad2d9d3eb7d53b367b7ea0d43a0d3553c9e517fdfc0a81a7 openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm 12e4456c9c9783fb08794d6a96b5aba4ee28d146b836d626cd1c6b073710d62a openssl-perl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm 8fbf30e0e237a772417013e81144715d7422fcb585e58adba9635164e3598f4e openssl-static-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm x86_64: 58ac5c57e0bcc3a34434973244ddb5eaf1323ef4ff1341f8ad78ec722a794238 openssl-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm 80d3f839551280bec1aafaacbaddde6b4112c5d64ed4f5ecd2cb3974785319c0 openssl-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm b4413e3509647ca7ad2d9d3eb7d53b367b7ea0d43a0d3553c9e517fdfc0a81a7 openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.i686.rpm fc146768d01e92c1dca6b8fffc2b272e62ee7e30c8004e64aa6c5a62707d8d30 openssl-devel-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm 8a91c231fe0b021613f784bac7d31e9468a2b286f75afb0276e8b4fe33020092 openssl-perl-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm fa2d68756a47d41ee227dcdc3de878c8f4edfb1d7b17b4b96027c991406aa4ee openssl-static-1.0.1e-16.el6_5.4.0.1.centos.x86_64.rpm - ---- Notes: 1) All versions of CentOS prior to 6.5 are unaffected. 2) the release tag in these packages is marked in a manner that the next upstream version will override and replace these packages. ref: - - http://heartbleed.com/ - - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160 - - https://access.redhat.com/security/cve/CVE-2014-0160 - -- Karanbir Singh, Project Lead, The CentOS Project +44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS GnuPG Key : http://www.karan.org/publickey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNDWrUACgkQMA29nj4Tz1tYqgCfVEG1WN0hoJLbOcnZ5Fd0u9U5 JIMAoKg4xsIRFY54pnacEMwfrmWbxwVx =8y4U -----END PGP SIGNATURE----- ------------------------------ Message: 2 Date: Tue, 8 Apr 2014 02:54:58 +0000 From: Karanbir Singh <kbsingh at centos.org> Subject: [CentOS-announce] CESA-2014:0376 Important CentOS 6 openssl Update To: centos-announce at centos.org Message-ID: <20140408025458.GA45134 at n04.lon1.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2014:0376 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0376.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 6ceff4bad2608484b9b9ab74b8e9047b593b6b7a6ca5ba3cc16db7d8b447f1d8 openssl-1.0.1e-16.el6_5.7.i686.rpm ef6c735885f24ca8618357b880e8cdc6fcb7c6895d99f740169684a3a6f0b8ba openssl-devel-1.0.1e-16.el6_5.7.i686.rpm 5724d24708d8b62ee48585ea530d379c258a9dd537ce3d350a61af4489c11ea5 openssl-perl-1.0.1e-16.el6_5.7.i686.rpm 601108f27b4716355d972d70e8711b6ff53f4375962b3d6e81321736c6709b90 openssl-static-1.0.1e-16.el6_5.7.i686.rpm x86_64: 6ceff4bad2608484b9b9ab74b8e9047b593b6b7a6ca5ba3cc16db7d8b447f1d8 openssl-1.0.1e-16.el6_5.7.i686.rpm 42cdc321aa3d46889c395c5d6dc11961ed86be5f4d98af0d6399d6c4e1233712 openssl-1.0.1e-16.el6_5.7.x86_64.rpm ef6c735885f24ca8618357b880e8cdc6fcb7c6895d99f740169684a3a6f0b8ba openssl-devel-1.0.1e-16.el6_5.7.i686.rpm 3328f32f211b2e136c25ec8538c768049f288f0b410932b31880fa4b4de8e73b openssl-devel-1.0.1e-16.el6_5.7.x86_64.rpm 89cdbaed00f8348a6a6d567c6c1eb8aba9f94578653be475e826e24c51f10594 openssl-perl-1.0.1e-16.el6_5.7.x86_64.rpm 9222db08c5cbf4fded04fd7d060f5b91ed396665e2baa4c899fc2aa8aa9297d0 openssl-static-1.0.1e-16.el6_5.7.x86_64.rpm Source: 3a08cda99f54b97c027ed32758e7b1ddcff635be5c3737c1e9084321561a015d openssl-1.0.1e-16.el6_5.7.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos at irc.freenode.net ------------------------------ _______________________________________________ CentOS-announce mailing list CentOS-announce at centos.org http://lists.centos.org/mailman/listinfo/centos-announce End of CentOS-announce Digest, Vol 110, Issue 5 ***********************************************