[CentOS] Re: Security implications of openssl098e on CentOS 7
Yamaban
foerster at lisas.de
Wed Oct 21 19:20:10 UTC 2015
On Wed, 21 Oct 2015 20:58, Nick Bright <nick.bright at ...> wrote:
> On 10/21/2015 1:55 PM, Andrew Holway wrote:
>> Personally I would go round to that particular vendors office with a pipe
>> wrench and encourage them to do better however, unless this software is
>> transmitting credit card information then it seems that you could be
>> safe(ish) from the regulation standpoint. It really depends on the location
>> of the machine. Is it deep in the bowels of your high security nuclear
>> bunker on an air gap network or is is merrily accepting incoming traffic
>> from China? Is the software is using an appropriate SELinux policy or is it
>> running unconfined or with SELinux turned off?
>>
>> It seems the PCI-DSS describe a set of simple rules to get IT managers
>> thinking but they are somewhat open to interpretation. Are you abiding to
>> the spirit of the regulations?
> The particular software requiring 0.9.8 is performing backups of the system to
> a remote data center.
>
> My concern is that, with the compatibility package installed, could this
> present vulnerabilities or compliance problems in Apache?
TL;DR: Preload openssl from non-standard location for closed-source app only.
Hmm, how about taking the content of the openssl098e package, put
it into a directory relative to the closed source software (e.g. /opt),
and create a wrapper script, similar to the following example:
[code]
#!/usr/bin/bash
# This is a wrapper for app to use openssl 0.9.8 (unsafe)
# app is in /opt/app/
# app starter is /opt/app/bin/starter
# ssl098e libs are in /opt/openssl098/
export LD_LIBRARY_PATH=/opt/openssl098/
exec /opt/app/bin/starter ${1+"$@"}
# ${1+"$@"} expands only if at least $1 is present
[/code]
YMMV
- Yamaban.
More information about the CentOS
mailing list