4 thoughts on - Openssl Vulnerability

• Send them this link about RHEL backports – 1.0.1t won’t be in EL7.

  https://access.redhat.com/security/updates/backporting

  You can check the CVE database heer to see what RH has to say about an issue and if it affects them:

  https://access.redhat.com/security/security-updates/#/

  Also don’t underestimate the power of rpm -q –changelog |
  grep ;)

• –Jw7DOWsTPR4c8iWFNvrwdOShxWOJkUBDO
  Content-Type: text/plain; charset=windows-1252
  Content-Transfer-Encoding: quoted-printable

  https://access.redhat.com/security/cve/CVE-2016-0701

  substitute the other CVE numbers for the rest, also:

  https://access.redhat.com/security/cve/CVE-2015-3197

  (and so on)

  So, Red Hat says CVE-2016-0701 does not impact any releases (no updates), and if you look at the CVE-2015-3197, it lists all the applicable updates.

  If you check all the CVE’s in question, you can find out all your answers.

  CentOS has a CentOS-announce mailing list where you can see our released updates:

  https://lists.CentOS.org/pipermail/CentOS-announce/

  For example, CVE-2015-3197 lists ‘RHSA-2016:0301’ on ‘2016-03-01’, so to see if CentOS released an update .. click on the March 2016 link and then you will see this:

  https://lists.CentOS.org/pipermail/CentOS-announce/2016-March/thread.html

  And on that page, you can find 2016:0301 for CentOS-6 .. it leads to this link:

  https://lists.CentOS.org/pipermail/CentOS-announce/2016-March/021712.html

  So, if you have openssl-1.0.1e-42.el6_7.4 or later, it has the changes rolled in for that CVE, etc.

  –Jw7DOWsTPR4c8iWFNvrwdOShxWOJkUBDO

• https://access.redhat.com/security/cve/cve-2014-8176 says for
  CVE-2014-8176:

  Red Hat Enterprise Linux 7 openssl098e Will not fix

  This implies that CentOS 7 is impacted, yes?

  RPM -q does not know about this CVE nor the Bugzilla issue 1228611. So what does one do if PCI compliance depends on this issue not being present?

  • My bad – OpenSSL vs. OpenSSH!