Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Never had to before, but our audit also found the openssl version needed an update. This was a simply binary install, so a yum update openssl* did update to the newest openssl-0.9.8a-5.4, but the audit did show the following as the resulution;
Upgrade to OpenSSL 0.9.7k or 0.9.8c or newer. A source code patch
is also available for those who cannot upgrade to a newer version. The
link to the patch is below.
Patches: http://www.openssl.org/news/patch-CVE-2006-4339.txt
I am not sure if I can in fact patch the rpm version with that text file, if so, great, how?
Well, patching usually occurs on the source code, not the RPM itself. The easier approach would be to install the SRC RPM for your existing install of openssl, patch the sources and then rebuild. Or you could download the source, strip of it's spec file to build from and rebuild with the 0.9.7k or 0.9.8c sources instead of 0.9.8a-5.4.
OS is Fedora 5. This box is a development server running svn which upon commit updates 6 live clustered webservers so I need to make this change / update easy, so I can (trying to remember all my sysadmin 101 stuff), do an rpm -e on the packages (which I will most likely get some dependency error with my luck.)
The download the src.rpm and go that route, but not sure if (and how) you patch with that text file, then intsall.
Thanks again for the reply, I read these forums to keep learning and your name get's around more than my 1st girlfriend! so thanks for really helping out with so many people's questions.
The download the src.rpm and go that route, but not sure if (and how) you patch with that text file, then intsall.
The source RPM should include the tarball of openssl. Once rebuilt, you probably don't have to remove the package per se but rather just force a reinstall or update.
Is this a 64bit setup by chance? I only see openssl-0.9.8a-5.2 for i386 arch and the openssl-0.9.8a-5.4 in the x86_64 for Fedora Core 5.
Maybe the version you have installed didn't include it but if you download it from http://mirror.fraunhofer.de/download...86_64/?C=M;O=A you'll notice that it has the x86_64, i386 and i686 arch RPM's available. I checked the openssl.spec file as well to make sure it included this patch, which it does.
This might solve the issue, get you your patch without having to rebuild. If not, the steps to patch shouldn't be too hard.
now I am puzzled. I did look at the download from the 1st link, and pulled down the file;
Sep 28 2006 openssl-0.9.8a-5.4.src.rpm,did an rpmbuild --rebuild file
After 5 or so, it wrote the following;
pwd
/usr/src/redhat/RPMS/x86_64
[root@cs0 x86_64]# ls
openssl-0.9.8a-5.4.x86_64.rpm openssl-devel-0.9.8a-5.4.x86_64.rpm
openssl-debuginfo-0.9.8a-5.4.x86_64.rpm openssl-perl-0.9.8a-5.4.x86_64.rpm
nothing in the SOURCES directory, I did rpm -Uvh --force the update which worked, but w/o issuing a re-scan I won't know, but I am sure there is another way to see if it's patched, don't think the 'a' version is. Man I thought I remembered some of this stuff, I'm getting old!
I'd say do the rescan. Not sure how to check without cracking open the RPM to verify. What program is doing this "audit" and how is it checking? If it still complains and this source RPM included this patch, I'd say the audit is faulty.
We have trustkeeper.net do the scans, I am going to push that new rpm to the webservers, and re-scan tonight and we shall see what happens and post back tomorrow.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.