LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-01-2007, 03:12 PM   #1
legcard
Member
 
Registered: May 2007
Posts: 33

Rep: Reputation: 15
Openssl 0.9.7d or newer for RHEL 4.4


We are running RHEL 4.4 WS with Openssh 3.9p1.
Site security requirements dictate that we run a version of Openssl newer than 0.9.7c. Boss does not want us to compile it. He wants us to find the binary and libs and install them. Trouble is, I can't find anything but source. I have looked in freshmeat, updates.redhat.com, openssl.org, and rpmfind.net.

Does anybody know where I can find an openssl-0.9.7d or newer package?

TIA,
Linda
 
Old 11-01-2007, 04:02 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Normally I'd move distro-specific questions like this to their distribution's LQ forum, but considering the HUGE security implications of what you are doing, I'm leaving it here for a while. IMHO, the way your boss has you going about this is a a very serious security risk. Official (and digitally-signed) binary packages provided by your distributor are great. But going around the WWW in search of unofficial binaries to install can cost you your job in a lot of places - for good reason.

Is there some *specific* vulnerability which isn't taken care of in your distro's latest patched OpenSSL package? Keep in mind that with binary OpenSSL packages it's a common practice to backport security fixes and leave the main version number/letter alone. In such cases, you need to actually look at the changelogs to see what vulnerabilities have been patched. For example, when your distributor (Red Hat, Inc.) released updated OpenSSL packages to fix CVE-2006-3738, the package was still called openssl-0.9.7a, even though the upstream fix by OpenSSL.org was included in version 0.9.7l.

Last edited by win32sux; 11-01-2007 at 04:11 PM.
 
Old 11-02-2007, 08:01 AM   #3
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by legcard View Post
We are running RHEL 4.4 WS with Openssh 3.9p1.
Site security requirements dictate that we run a version of Openssl newer than 0.9.7c. Boss does not want us to compile it. He wants us to find the binary and libs and install them. Trouble is, I can't find anything but source. I have looked in freshmeat, updates.redhat.com, openssl.org, and rpmfind.net.

Does anybody know where I can find an openssl-0.9.7d or newer package?

TIA,
Linda

Take a look at the Red Hat Errata. The version you are running is more updated than 0.9.7c Red Hat backports all the security patches for there programs. The only way to go to 0.9.7c and not mess with your support contract is to upgrade to RHEL5. I am guessing that the company has something to do with the GOVT requirements. We had the same exact requirement but the errata has all the CVE numbers and all the security patches.

here is the specific link for rhel4 openssh changelog. This shows everything that was patched.


https://rhn.redhat.com/network/softw...pxt?pid=404682

but you must have a red hat network login.
i hope this helps
 
Old 11-02-2007, 10:45 AM   #4
legcard
Member
 
Registered: May 2007
Posts: 33

Original Poster
Rep: Reputation: 15
Frustrating

"it's a common practice to backport security fixes and leave the main version number/letter alone."

and

"For example, when your distributor (Red Hat, Inc.) released updated OpenSSL packages to fix CVE-2006-3738, the package was still called openssl-0.9.7a, even though the upstream fix by OpenSSL.org was included in version 0.9.7l."

I don't get that. If you are going to get into the system/program to correct it, update a library, make a change, whatever...why not just go ahead and update the version # while you are there? How hard is that? And why would you call a package 097a when it is really 097l?

So you have to dig thru a log to figure out what the REAL version is based on what CVE was fixed or not fixed. I wonder where that change log is. Oops my Solaris/HP background is showing. And why would an update to a piece of 3rd party software/library "mess" with my service contract?

Yes, I am new to Linux and am still trying to decipher the umpteen flavors, multiple subversions (WS, AS, ES, et al) to those flavors and hardware specific (i386, IA_64 etc). I can only hope that these RPMs are with the change log in this open-source quagmire. This is, of course, assuming that the errata/change log is ON my system. find and grep are my friends.

I logged into my predecessor's redhat account and found a section called relevant errata with 109 entries. Are those patches? Who knows?

My lack of turn-over is starting to strangle me. I don't even know where to start. I have bought every Redhat/Linux book I can find and there is no clear process for updating other than up2date. So if your box does not connect to the cloud, how are you supposed to get your updates or even know which ones to grab?

OK, I'm done ranting. Thanks for your help. What I really need is a turn-over but the guy left months before I got here.
 
Old 11-02-2007, 02:13 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by legcard View Post
I don't get that. If you are going to get into the system/program to correct it, update a library, make a change, whatever...why not just go ahead and update the version # while you are there? How hard is that? And why would you call a package 097a when it is really 097l?
Typically this is done whenever stability is paramount, as is the case with "enterprise" distros such as RHEL. The distributor wants to make as little changes to binaries as possible, which almost always translates into "security fixes only" and maybe "extremely critical bug fixes" too. My understanding is that by not tampering with the main version number, it is an indicator that the feature set remains the same. The version number for the package itself (the numbers further to the right in the file name) does increase every time an update is made, of course. As a bonus, not making major changes to a library also lessens the chance that binaries which use it will have to be recompiled against it.

Quote:
So you have to dig thru a log to figure out what the REAL version is based on what CVE was fixed or not fixed.
Not exactly. If only security/critical fixes are being applied to the distro's package, it's unlikely there will be an upstream equivalent. The upstream developers don't need to be concerned with stability the way "enterprise" distributors do - they can add all the new features they want.

As for the other Red Hat-specific questions in your rant, I'll defer to someone else, as I'm not that familiar with the ways of RHEL.
 
Old 11-02-2007, 05:28 PM   #6
legcard
Member
 
Registered: May 2007
Posts: 33

Original Poster
Rep: Reputation: 15
Cooled off

Win32sux - thank you for your kind reply. It gives me insight into how this is supposed to work. A bit different from what I've done in the past but I'm trying to learn.

I've cooled off some now that I have examined the CVEs and found that they do not apply to RH 4.4. All that fussing for naught.

But I would still like to understand where the rpms and change log are stored on my system.

And when I go to my redhat account, those 109 items, are those the patches for my registered versions? Following that thought, would I download only the critical ones (ie Mozilla) and apply them one-sy two-sy or is there a cluster method? What do real Linux sysadmins do? I would like to protect my systems but who wants to download/install unnecessary patches?

Any help on those two questions and I'll be doing my happy dance.

Thanks,
Linda

Last edited by legcard; 11-02-2007 at 05:30 PM.
 
Old 11-02-2007, 07:19 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by legcard View Post
But I would still like to understand where the rpms and change log are stored on my system.
Well, you can look at the installed RPMs by using the rpm command, like:
Code:
rpm -qa
As for changelogs, look for a /usr/share/doc or /usr/doc directory. There should be changelogs in the relevant package's subdirectory.

For example, this is what the OpenSSL doc directory looks like on my Ubuntu box:
Code:
win32sux@candystore:~$ ls /usr/share/doc/openssl/
changelog.Debian.gz  copyright  NEWS.gz        README.optimization
changelog.gz         doc        README.Debian
CHANGES.SSLeay.gz    FAQ.gz     README.gz

Quote:
And when I go to my redhat account, those 109 items, are those the patches for my registered versions? Following that thought, would I download only the critical ones (ie Mozilla) and apply them one-sy two-sy or is there a cluster method? What do real Linux sysadmins do? I would like to protect my systems but who wants to download/install unnecessary patches?
I would suggest these manuals as a good place to get answers to these questions direct from the source:

Red Hat Enterprise Linux 4 - Introduction to System Administration

Red Hat Enterprise Linux 4.5.0 - System Administration Guide

Red Hat Enterprise Linux 4.5.0 - Security Guide

Last edited by win32sux; 11-03-2007 at 11:35 AM. Reason: Added /usr/share/doc/openssl example.
 
Old 11-05-2007, 09:35 AM   #8
legcard
Member
 
Registered: May 2007
Posts: 33

Original Poster
Rep: Reputation: 15
Win32sux,
Thank you so much for your reply. And for the advice on the online books. I wish they gave an option to print or buy these, I like to scribble notes in my tech manuals to help me remember. These docs are all good resources for me. With your help, I have found the change log. Thanks, again.
Linda

Last edited by legcard; 11-05-2007 at 09:37 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need openssl-0.9.8 RPM for RHEL 3.0 dheivan Linux - Enterprise 6 07-18-2007 09:36 AM
oops openssl-0.9.8e over openssl-0.9.8d bad install now 2 copies? rcorkum Slackware 4 06-29-2007 01:58 AM
Login problems with XDMCP from a pre-RHEL-4 client to a RHEL-4 server running KDE cspao Red Hat 0 07-21-2006 06:30 AM
Is CentOS RHEL or RHEL Server? mikes63737 Linux - Distributions 1 02-28-2006 04:35 PM
OpenSSL in RHEL (0.9.7.a) and the one I installed (0.9.7.g) Swakoo Linux - Newbie 1 07-19-2005 04:36 AM


All times are GMT -5. The time now is 05:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration