Hello!

Here is the short version:
I need to rebuild the "openssl-0.9.7a-43.17.e14_6.1.src.rpm" source rpm from RedHat. I downloaded that file from RedHat, put it into /usr/src/redhat/SRPMS, and ran "rpmbuild --rebuild openssl-0.9.7a-43.17.e14_6.1.src.rpm". The process seems to have finished successfully, but what I get in /usr/src/RPMS/i386/ is a file named "openssl-0.9.7a-43.17.1.i386.rpm". I am having trouble reinstalling this because the version name is different. What am I doing wrong?

I greatly appreciate your help. Thanks!

1st I hope this is just a typo, but that should be el4 not e14 (small L not 1). If it is a 1 then you probably do not have a real RH rpm(a fake).

It would help a LOT if you would cut and past the errors you are getting.


Usually it is a good idea to post your distro, version, and arch you are using when asking a question. I assume you are running RHEL4.X 32bit.

Might be more current.

I think it's due to the .spec's "43.17%{?dist}.1" tag, meaning it should be see a "%define dist" (1, 2) sourced beforehand in some macro file. BTW rebuilding this .src.rpm as root account user isn't a best practice (user an unprivileged account) and rebuilding this particular .src.rpm isn't good (it's obsoleted).

unSpawn

Do not forget that RH back patches older versions of packages with current security patches (and hardware support), assuming you were referring to the 0.9.7a-43.17 part and not the 6.1 part.

Thanks. Maybe I need a second opinion. Am I mistaken that RHSA-2007-1003 (openssl-0.9.7a-43.17.el4_6.1) points to RHSA-2009-0004 (openssl-0.9.8b-10.el5_2.1) which affects EL4 as well?

Not sure. But I if you look in the Centos repo for EL4 (not the el5 rpm you have listed) it has no openssl-0.9.8b rpm listed. As Centos is just rebuilt RHEL and Centos/RHEL4.X is still on a ton of commercial servers, I would be VERY surprised is they were running an insecure version. It would however be a very good question for those that have a RHEL license to ask RH.

Centos 5.4 lists, openssl-0.9.8e-12.el5.src.rpm

Thanks for the fast replies!!

Lazlow, you're right it was a typo, and also sorry for the lack of info:
Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
2.6.9-42.0.10.ELsmp #1 SMP i686 i686 i386 GNU/Linux
You mentioned -(openssl-0.9.7a-43.17.el4_7.2.src.rpm)- I will definitely need to install this at some point

unSpawn - I'm not familiar with the spec file format and what all it should contain. Since this came from RH should it not rebuild back to the same version as the src.rpm file that I downloaded? Do I need to add a command line argument for that to happen? Is there a switch I need to use to tell the rebuild to include all of the patches?

The long version:
I actually need to edit the ssl.h file, then recompile and rebuild the package and install it. I am trying to move one step at at a time and first verify that I can rebuild and install the source package before editing it. Once I know that I can do that, then I will edit it and verify that I can do the same thing. And then, once I understand the process, I was going to upgrade with a newer version of the package. I'm not really opposed to going through this process with the _7.2 version of the package, I'm just kind of stuck on how to edit and rebuild this src.rpm where it ends up with the right version name. I tried rebuilding the _7.2 version with the same result that the resulting RPM file did not include the patch version in the name.

Thanks for your help!! I really appreciate it.

An update on what I've done:

I followed this article - linuxweblog.com/patch-rebuild-rpm
1) I created a file named /home/username/.rpmmacros that contained only the line: %_topdir /home/username/src/rpm
2) I built the directories that were needed (/home/username/src/rpm/BUILD,SOURCES,SRPMS,RPMS,SPECS)
3) I installed the source rpm file: rpm -ihv openssl-0.9.7a-43.17.el4_7.2.src.rpm
4) I moved and unpacked the ~/src/rpm/SOURCES/openssl-0.9.7a-usa.tar.bz2 to ~/src/rpm/BUILD, edited the ssl.h file, then repacked it and moved it back
5) Edited the SPECS/openssl.spec file, changed the "Release: 43.17%{?dist}.2" to read ""Release: 43.17.el4_7.2"
6) I did a build from the spec file: rpmbuild -ba ~/src/rpm/SPECS/openssl.spec
7) I did a force upgrade with the new package: rpm -Uhv --force ~/src/rpm/RPMS/openssl-0.9.7a-43.17.el4_7.2.i386.rpm

So far everything seems to be working. I am doing this to pass a penetration test requirement so it remains to be seen if the change I made will be effective. Thank you for pointing me in the right direction, and I would be grateful to read your thoughts on my likelihood of success.

Thanks for posting back your steps. That you chose to build the RPM as unprivileged user really was a good choice. I just wish more people would adhere to best practices.


I don't know if modifying ssl.h will satisfy requirements: if the goal is to just present falsified information then it's "security by obscurity" (which is not security at all). It's hard to say what the penetration test will yield since I don't know which CVE you're combatting. More information please!

Hey! I am taking your comment to mean that you didn't see any obvious errors in how I went about it, so that is great! The finding is from a Qualys scan, and it didn't include a CVE number but the QID is "38284 - Netscape/OpenSSL Cipher Forcing Bug". In the ssl.h file I had to change this line:

#define SSL_OP_ALL 0x00000FFFL

to this line:

#define SSL_OP_ALL (0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)

I guess I'll find out how successful I was when we get scanned again. Thanks for your help!

Yes. Looks good to me. However the proof is in the pudding...


I had a look at 1 and 2 and 'man SSL_CTX_set_options' but this looks like a SSL / Netscape compatibility issue, not a "real" vulnerability. Of course I'm no guru.