[CentOS] Upgrading openssl to openssl-1.0.1e-16.el6_5.7.x86_64

Mon Jun 9 14:30:04 UTC 2014
Johnny Hughes <johnny at centos.org>

On 06/09/2014 07:11 AM, John R Pierce wrote:
> On 6/9/2014 4:15 AM, srikanth chakravarthula wrote:
>> Can we upgrade the OpenSSL version on earlier CentOS Versions 6.2/6.3/6.4
>> with the latest Openssl version which has all the latest openssl
>> vulnerability fixes from Cent OS repo.
> 6.2, 6.3, 6.4 are not centos 'versions', the version is CentOS 6.. 6.2 
> etc are just snapshots of the state of it at that point in time with no 
> further patches.
>
> yes, you probably can just install openssl updates, yum update 
> openssl...  but such a mix of older packages with newer isn;t 100% 
> tested (there's far too many possible combinations to test).

This is exactly correct ... if you are running 6.2, 6.3, or 6.4 then you
are missing very many security updates .. many of them critical.  There
is no mechanism to get CentOS security updates unless you stay on the
main tree.

Some other distros will tell you that they offer security updates with
the older trees, except that is not how Red Hat tested those released
updates, so there is no way to verify that those updates fix the problem
with older packages from 6.2, 6.3, 6.4, etc. installed.  If you look at
the Red Hat advisory, you can see that it clearly says this:

"Before applying this update, make sure all previously released errata
relevant to your system have been applied."

See the Solution section here:  
https://rhn.redhat.com/errata/RHSA-2014-0376.html

So even in RHEL there is no way to install that openssl on and older
branch and have a reasonable expectation that the all security issues
(or even that security issue) is fixed.  Anyone that says otherwise does
not understand the potential issues of running older shared libraries
with items.

Red Hat does have both an AUS and an EUS channel to address these issues
... security updates for older versions of RHEL.  For example here is
the errata for that a newer openssl:

https://rhn.redhat.com/errata/RHSA-2014-0627.html

If you look, there is openssl-1.0.0-20.el6_2.7.src.rpm,
openssl-1.0.0-25.el6_3.3.src.rpm, openssl-1.0.0-27.el6_4.4.src.rpm ..
but Red Hat has never publicly released the EUS/AUS sources.  Therefore
CentOS has never built them.

But even with those updates, you need to install all the other updates
within that channel (RHEL-6.2 AUS, etc.) before you are sure to have the
tested solution for the security issue.

If you want security inside older trees, you have to build the updates
against those trees and test them yourself ... and it STILL might not be
secure. 

Personally, I would say if you want older versions with security, you
need to be on one of the RHEL AUS/EUS channels.

That said. you can point to the 6/updates tree and do a yum update
openssl and it will pull in only the things it needs to update to make
that install ... that does not mean you are secure however.



 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20140609/d6dcdd2e/attachment-0004.sig>