OpenSSL Heartbleed fix available

Posted by: Peter Baldwin

Tagged in: clearos

The security update for the OpenSSL Heartbleed issue has been released for the ClearOS Professional Edition.  The update for the Community Edition should be available in the next 12-48 hours.  You can find more information about this update here.

Note: the issue does not impact ClearOS 5.x systems.

Update (April 8, 10 pm EST): The fix for the Community Edition has now been promoted from testing to official updates.  All the mirrors will have the up-to-date in a few hours.

 

 

Comments (1)add
Dave Loper
Backported fixes
written by Dave Loper , April 11, 2014
As with all fixes, ClearOS performs fixes to the existing version numbers. This is why you will still the version 'e' when you investigate. What is important is the minor version numbers.

You can validate that you have the patch by running:

rpm -qi openssl

You should have results similar to this:

[root@office ~]# rpm -qi openssl
Name : openssl Relocations: (not relocatable)
Version : 1.0.1e Vendor: CentOS
Release : 16.el6_5.7 Build Date: Mon 07 Apr 2014 08:43:19 PM MDT
Install Date: Tue 08 Apr 2014 06:30:58 PM MDT Build Host: c6b10.bsys.dev.centos.org
Group : System Environment/Libraries Source RPM: openssl-1.0.1e-16.el6_5.7.src.rpm
Size : 4209635 License: OpenSSL
Signature : RSA/SHA1, Mon 07 Apr 2014 08:49:16 PM MDT, Key ID 0946fca2c105b9de
Packager : CentOS BuildSystem
URL : http://www.openssl.org/
Summary : A general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

So while the version is '1.0.1e' the subversion has been incremented to 16.el6_5.7. If you are running this version or later, you already have the patch. A restart of your web services is required but the patch should also take care of that for you. If you are still nervous, run the following:

service httpd restart && service webconfig restart

The reason why ClearOS backports fixes into existing version numbers rather than incrementing version numbers is for compatibility reasons. Some software depends on different versions, symbols and other objects. Incrementing versions can cause cascading failures in the dependency trees. One of the reasons why ClearOS enjoys such stability comes from the long-standing tradition of fixing software in this manner.

Here you can read about why other vendors do the same:

https://access.redhat.com/site/security/updates/backporting/?sc_cid=3093


report abuse
vote down
vote up
Votes: +1
You must be logged in to post a comment. Please register if you do not have an account yet.

busy