IUS Community Project

Openssl10 and Heartbleed bug

Asked by April Elsasser

Recently I installed the PHP54 pkgs from IUS. 'php54-5.4.24-1.ius.el6.x86_64' has a dependency for 'openssl10'.

(Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: php54-5.4.24-1.ius.el6.x86_64)

So I removed 'openssl' and installed 'openssl10'.

Is there a patched version for the Heartbleed bug? Or is the last version of 'openssl10' from IUS not vulnerable to the bug? I can't find a newer version than the one I've installed (openssl10-devel-1.0.1e-2.ius.el6.x86_64.rpm).

Thanks.

--April Elsasser
<email address hidden>

Question information

Language:
English Edit question
Status:
Solved
For:
IUS Community Project Edit question
Assignee:
No assignee Edit question
Solved by:
April Elsasser
Solved:
Last query:
Last reply:
Revision history for this message
Carl George (carl.george) said : 		#1

We originally packaged openssl10 at the request of a community member. Later on, Red Hat updated the regular openssl package to a more current version, making openssl10 obsolete. Because of this, the openssl10 package is no longer supported, and has been moved to our archive repos. You can review the history of this package in this bug report.

https://bugs.launchpad.net/ius/+bug/1034961

This archive package is definitely vulnerable to the Heartbleed bug, and it will not be patched. You should immediately replace it with the native openssl package using yum shell.

# yum shell
> remove openssl10 openssl10-devel
> install openssl openssl-devel
> run

Revision history for this message
Carl George (carl.george) said : 		#3

I created a test CentOS server, enabled IUS, and installed php54 without issue. It did not attempt to pull in openssl10, as it was satisfied with the existing install of openssl.

When reviewing your output, I noticed a few odd things.

* repo names

It appears you have repos named 'centos6-ius-x86'. The official ius-release package creates a repo named 'ius', as well as disabled '-testing', '-dev', and '-archive'. Did you just rename the repo, or are they custom?

* CentOS version

What version of CentOS are you running? I see repos for centos6-* and centos63-*. The public IUS repository only builds packages for the base channel, which is currently at CentOS 6.5.

Revision history for this message
April Elsasser (arelsasser) said : 		#4

I'll spin up a CentOS 6.5 version, install PHP54 and test it out. As for the 'centos6-ius-x86' repo, it's set up as a channel on our internal Spacewalk repository and pulls from the IUS mirror. Thanks for your help.

Revision history for this message
bharper (bharper) said : 		#5

Hello April,

I noticed that your centos6-ius-x86 Spacewalk channel is out of date. The current version of php54 is 5.4.27, while you were attempting to install 5.4.26. If you need rsync access to keep your spacewalk channel up to date, please see the following:

https://iuscommunity.org/pages/SettingUpAnOfficialIUSMirror.html

-Ben

Revision history for this message
April Elsasser (arelsasser) said : 		#6

Hello Ben,

Our centos6-ius-x86 channel syncs on a weekly basis. Last sync was on April 21st so at that time it was up-to-date. PHP54 v 27 wasn't available at that time -- it was available as of April 22, 2014.

Thanks,

April

Revision history for this message
bharper (bharper) said : 		#7

Hey April,

Thanks for the clarification. Seeing that our openssl10 package has been EOL'd, I would recommend removing it from within your centos6-ius-x86 channel.

-Ben