Author Topic: Update for openSSL is important!  (Read 16923 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Update for openSSL is important!
« on: August 31, 2016, 09:06:00 AM »
Dear CWP Development Team,

I ran an test for all services and found that there is an dangerous version of openSSL active on the server.
mod_ssl (part of openSSL) runs on version 2.2.31 and this version is already hacked an vulnerable for exploits, which means, reversed shells for everyone!

Code: [Select]
mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_antiloris/0.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756.
Please update this service!

Kind regards,
Laurens van Strijland


Offline
*
Re: Update for openSSL is important!
« Reply #1 on: October 27, 2016, 07:42:05 PM »
Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version
« Last Edit: October 27, 2016, 07:58:17 PM by intellitech »

Offline
*
Re: Update for openSSL is important!
« Reply #2 on: November 25, 2016, 07:15:11 PM »
Thanks for posting the steps.  One question:

Even the compile and installation seems work, how come my server info still show 1.0.1e even after apache recompile?  Anything I need to make Apache using the new 1.0.2j? Thanks!

Server type: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips

Offline
*****
Re: Update for openSSL is important!
« Reply #3 on: November 26, 2016, 03:12:34 PM »
you need to remove the current installation and try to install with the steps above.

Offline
*
Re: Update for openSSL is important!
« Reply #4 on: December 12, 2016, 05:05:51 AM »
Just to update - I have manually compiled and updated OpenSSL on a CentOS 6.8 - using the following steps (ofcourse you need root priviledges on the server) -

1. Download LTS version of OpenSSL:

# cd /usr/src
# wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
# tar -zxf openssl-1.0.2j.tar.gz

2. Manually compile & upgrade / install OpenSSL:

# cd openssl-1.0.2j
# ./config
# make
# make test
# make install

4. Copy OpenSSL files:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

5. Verify installed version of OpenSSL

# openssl version

dont work for me...

Offline
*
Re: Update for openSSL is important!
« Reply #5 on: April 05, 2017, 09:45:11 AM »
I'm experiencing the same issue, I've installed the latest OpenSSL and he terminal is reporting the correct version:

Code: [Select]
# openssl version
OpenSSL 1.0.2k  26 Jan 2017

but Apache is reporting the old version:

Code: [Select]
Server:Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.1e-fips
is there a workaround for this?

Offline
***
Re: Update for openSSL is important!
« Reply #6 on: December 01, 2017, 01:57:02 AM »
CWP is running a customized version of apache/mod_ssl (cwp-httpd).

Checking that version we discover:
---------------------------------------
# strings /usr/local/apache/modules/mod_ssl.so | egrep '^mod_ssl\/|^OpenSSL '
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 1.0.1e 11 Feb 2013
---------------------------------------

So, this update seems is a must update!
When we would have a updated version of CWP?

Offline
*
Re: Update for openSSL is important!
« Reply #7 on: July 31, 2018, 03:30:15 AM »
It doesn't seem to matter to anyone.

Offline
*
Re: Update for openSSL is important!
« Reply #8 on: September 02, 2024, 12:47:01 PM »
It was really hard to update openssl on CWP. I am using cwp7 on almalinux 8.

I tried everything and followed many articles available on internet related to upgrade openssl on Linux, but nothing worked for me.

Finally, this article helped me to upgrade my open SSL. https://startechies.net/blog/how-to-install-openssl/


Offline
*****
Re: Update for openSSL is important!
« Reply #9 on: September 02, 2024, 09:53:20 PM »
If you are running AlmaLinux 8, you should be at OpenSSL 1.1.1K

dnf --refresh update

should update it.

Offline
**
Re: Update for openSSL is important!
« Reply #10 on: September 03, 2024, 10:07:58 AM »
Apache must be recompiled against the updated openSSL version in order to update mod_ssl.