Skip to main content

OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk

Comments

103 comments

  • ThinIce
    Looks like there is a CentOS / Redhat release of a patched version
    0
  • serlex
    Any way to reset cpanel certificates via SSH? this is a problem when resetting over 1k servers :)
    0
  • semseoymas
    With WHM 11.42.0 (build 19) in my case, it seems WHM/cpanel need to be fixed... [url=http://filippo.io/Heartbleed/]Test your server for Heartbleed (CVE-2014-0160) Just test your server using :port I do not know what to say about apache/nginx listening at 443... updated libssl with yum, and restarted, but Apache already vulnerable. If compiling again would fix? There is not a quick solution instead of needing to recompile apache at every machine? Thanks.
    0
  • bouvrie
    On WHM 11.42.0 (build 23) HTTPS (SSL) is vulnerable on port :443. WHM port :2087 is also vulnerable.
    0
  • jacobcolton
    Yum updates don't seem to be fixing it, just recompiling at the moment seems to resolve it.
    0
  • bouvrie
    Please be so kind to publish how to recompile.
    0
  • ThinIce
    [quote="bouvrie, post: 1615182">Please be so kind to publish how to recompile.
    From what I can see, with regards cPanel itself on CentOS or RHEL, yum update to install the updated packages, then restart all affected services linked to openssl or if you aren't sure, reboot. Others have said above that apache needs to be recompiled, in the absence of a post from cPanel, do that as normal through easyapache after you have the new package. EDIT - recompile of apache shouldn't be necessary, but a complete restart (i.e. a full stop of all apache processes) will be necessary - graceful restart not enough What you do after that is just as interesting. This according to the write up has been a potential for exploitation for a while and successful exploitation would leave no log trace. As such it seems a fair bit of regenerating of keys / ssl certs and then changing any details (like passwords) they have protected may be appropriate. It seems we might have a bit of a rabbit hole job :p
    0
  • jerrybell
    Re: OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk The issue is that CentOS, at least with the repos that Cpanel uses, does not yet contain the updates library. Yum update finds nothing to update. This bug is turning out to be quite bad. There are demonstrations where usernames and plaintext passwords are being pulled off of web servers. Once updated, it might be a good idea to reset passwords in addition to certs. Hopefully updated libraries will be pushed out for centos soon. [COLOR="silver">- - - Updated - - - As it turns out, an OpenSSL update was automatically applied last night. It looks like the 1.01e lib was just recompiled (probably with heartbeat disabled). I was thrown off because the vulnerable version number was appearing, however looking at the files for OpenSSL clearly shows it was updated. When I restarted apache, it was no longer vulnerable.
    0
  • Infopro
    WHM " Software " Update System Software checkyum version 21.1 Loaded plugins: fastestmirror, rhnplugin, security Loading mirror speeds from cached hostfile * cloudlinux-x86_64-server-6: xmlrpc.cln.cloudlinux.com Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package krb5-devel.x86_64 0:1.10.3-10.el6_4.6 will be updated ---> Package krb5-devel.x86_64 0:1.10.3-15.el6_5.1 will be an update ---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be updated ---> Package krb5-libs.x86_64 0:1.10.3-15.el6_5.1 will be an update ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.4 will be updated ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.4 will be updated ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: krb5-devel x86_64 1.10.3-15.el6_5.1 cloudlinux-x86_64-server-6 494 k krb5-libs x86_64 1.10.3-15.el6_5.1 cloudlinux-x86_64-server-6 760 k openssl x86_64 1.0.1e-16.el6_5.7 cloudlinux-x86_64-server-6 1.5 M openssl-devel x86_64 1.0.1e-16.el6_5.7 cloudlinux-x86_64-server-6 1.2 M Transaction Summary ================================================================================ Upgrade 4 Package(s) Total download size: 3.9 M Downloading Packages: -------------------------------------------------------------------------------- Total 1.8 MB/s | 3.9 MB 00:02 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : krb5-libs-1.10.3-15.el6_5.1.x86_64 1/8 Updating : openssl-1.0.1e-16.el6_5.7.x86_64 2/8 Updating : krb5-devel-1.10.3-15.el6_5.1.x86_64 3/8 Updating : openssl-devel-1.0.1e-16.el6_5.7.x86_64 4/8 Cleanup : openssl-devel-1.0.1e-16.el6_5.4.x86_64 5/8 Cleanup : krb5-devel-1.10.3-10.el6_4.6.x86_64 6/8 Cleanup : openssl-1.0.1e-16.el6_5.4.x86_64 7/8 Cleanup : krb5-libs-1.10.3-10.el6_4.6.x86_64 8/8 Verifying : openssl-devel-1.0.1e-16.el6_5.7.x86_64 1/8 Verifying : krb5-libs-1.10.3-15.el6_5.1.x86_64 2/8 Verifying : openssl-1.0.1e-16.el6_5.7.x86_64 3/8 Verifying : krb5-devel-1.10.3-15.el6_5.1.x86_64 4/8 Verifying : openssl-1.0.1e-16.el6_5.4.x86_64 5/8 Verifying : openssl-devel-1.0.1e-16.el6_5.4.x86_64 6/8 Verifying : krb5-libs-1.10.3-10.el6_4.6.x86_64 7/8 Verifying : krb5-devel-1.10.3-10.el6_4.6.x86_64 8/8 Updated: krb5-devel.x86_64 0:1.10.3-15.el6_5.1 krb5-libs.x86_64 0:1.10.3-15.el6_5.1 openssl.x86_64 0:1.0.1e-16.el6_5.7 openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 Complete! checkyum version 21.1
    0
  • bouvrie
    How about your WHM SSL port ( 2087 ) - that one is still vulnerable, the tester reports...
    0
  • jerrybell
    I had to restart cpanel, but once I did, all the cpanel ports show not vulnerable.
    0
  • Guile
    WHM " Software " Update System Software only showed the following: [QUOTE]checkyum version 21.1 Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: mirrors.advancedhosters.com * extras: mirror.cogentco.com * rpmforge: mirror.teklinks.com * updates: bay.uchicago.edu Setting up Update Process No Packages marked for Update checkyum version 21.1
    0
  • mahinder
    Yes, After rebooting the server, services are not shown as vulnerable. Restart the service or just reboot the server.
    0
  • Jorel
    [quote="Infopro, post: 1615352">WHM " Software " Update System Software
    checkyum version 21.1 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.mirrors.atwab.net * extras: less.cogeco.net * updates: www.cubiculestudio.com Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package atk.x86_64 0:1.28.0-2.el6 will be updated ---> Package atk.x86_64 0:1.30.0-1.el6 will be an update ---> Package bash.x86_64 0:4.1.2-14.el6 will be updated ---> Package bash.x86_64 0:4.1.2-15.el6_4 will be an update ---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated ---> Package bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update ---> Package bind-devel.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated ---> Package bind-devel.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update ---> Package bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated ---> Package bind-libs.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update ---> Package bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.4 will be updated ---> Package bind-utils.x86_64 32:9.8.2-0.23.rc1.el6_5.1 will be an update ---> Package ca-certificates.noarch 0:2010.63-3.el6_1.5 will be updated ---> Package ca-certificates.noarch 0:2013.1.95-65.1.el6_5 will be an update --> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2013.1.95-65.1.el6_5.noarch --> Processing Dependency: p11-kit >= 0.18.4-2 for package: ca-certificates-2013.1.95-65.1.el6_5.noarch ---> Package centos-release.x86_64 0:6-4.el6.centos.10 will be updated ---> Package centos-release.x86_64 0:6-5.el6.centos.11.2 will be an update ---> Package chkconfig.x86_64 0:1.3.49.3-2.el6 will be updated ---> Package chkconfig.x86_64 0:1.3.49.3-2.el6_4.1 will be an update ---> Package coreutils.x86_64 0:8.4-31.el6 will be updated ---> Package coreutils.x86_64 0:8.4-31.el6_5.1 will be an update ---> Package coreutils-libs.x86_64 0:8.4-31.el6 will be updated ---> Package coreutils-libs.x86_64 0:8.4-31.el6_5.1 will be an update ---> Package cronie.x86_64 0:1.4.4-7.el6 will be updated ---> Package cronie.x86_64 0:1.4.4-12.el6 will be an update ---> Package cronie-anacron.x86_64 0:1.4.4-7.el6 will be updated ---> Package cronie-anacron.x86_64 0:1.4.4-12.el6 will be an update ---> Package cups-libs.x86_64 1:1.4.2-50.el6_4.4 will be updated ---> Package cups-libs.x86_64 1:1.4.2-50.el6_4.5 will be an update ---> Package curl.x86_64 0:7.19.7-35.el6 will be updated ---> Package curl.x86_64 0:7.19.7-37.el6_4 will be an update ---> Package cvs.x86_64 0:1.11.23-15.el6 will be updated ---> Package cvs.x86_64 0:1.11.23-16.el6 will be an update ---> Package db4.x86_64 0:4.7.25-17.el6 will be updated ---> Package db4.x86_64 0:4.7.25-18.el6_4 will be an update ---> Package db4-cxx.x86_64 0:4.7.25-17.el6 will be updated ---> Package db4-cxx.x86_64 0:4.7.25-18.el6_4 will be an update ---> Package db4-devel.x86_64 0:4.7.25-17.el6 will be updated ---> Package db4-devel.x86_64 0:4.7.25-18.el6_4 will be an update ---> Package db4-utils.x86_64 0:4.7.25-17.el6 will be updated ---> Package db4-utils.x86_64 0:4.7.25-18.el6_4 will be an update ---> Package device-mapper.x86_64 0:1.02.77-9.el6 will be updated ---> Package device-mapper.x86_64 0:1.02.79-8.el6 will be an update ---> Package device-mapper-event.x86_64 0:1.02.77-9.el6 will be updated ---> Package device-mapper-event.x86_64 0:1.02.79-8.el6 will be an update ---> Package device-mapper-event-libs.x86_64 0:1.02.77-9.el6 will be updated ---> Package device-mapper-event-libs.x86_64 0:1.02.79-8.el6 will be an update ---> Package device-mapper-libs.x86_64 0:1.02.77-9.el6 will be updated ---> Package device-mapper-libs.x86_64 0:1.02.79-8.el6 will be an update ---> Package device-mapper-persistent-data.x86_64 0:0.1.4-1.el6 will be updated ---> Package device-mapper-persistent-data.x86_64 0:0.2.8-2.el6 will be an update ---> Package dhclient.x86_64 12:4.1.1-34.P1.el6.centos will be updated ---> Package dhclient.x86_64 12:4.1.1-38.P1.el6.centos will be an update ---> Package dhcp-common.x86_64 12:4.1.1-34.P1.el6.centos will be updated ---> Package dhcp-common.x86_64 12:4.1.1-38.P1.el6.centos will be an update ---> Package dmidecode.x86_64 1:2.11-2.el6 will be updated ---> Package dmidecode.x86_64 1:2.12-5.el6_5 will be an update ---> Package efibootmgr.x86_64 0:0.5.4-10.el6 will be updated ---> Package efibootmgr.x86_64 0:0.5.4-11.el6 will be an update ---> Package ethtool.x86_64 2:3.5-1.el6 will be updated ---> Package ethtool.x86_64 2:3.5-1.2.el6_5 will be an update ---> Package expect.x86_64 0:5.44.1.15-4.el6 will be updated ---> Package expect.x86_64 0:5.44.1.15-5.el6_4 will be an update ---> Package ftp.x86_64 0:0.17-53.el6 will be updated ---> Package ftp.x86_64 0:0.17-54.el6 will be an update ---> Package ghostscript.x86_64 0:8.70-15.el6_4.1 will be updated ---> Package ghostscript.x86_64 0:8.70-19.el6 will be an update ---> Package glib2.x86_64 0:2.22.5-7.el6 will be updated ---> Package glib2.x86_64 0:2.26.1-7.el6_5 will be an update --> Processing Dependency: shared-mime-info for package: glib2-2.26.1-7.el6_5.x86_64 ---> Package gnupg2.x86_64 0:2.0.14-4.el6 will be updated ---> Package gnupg2.x86_64 0:2.0.14-6.el6_4 will be an update ---> Package gnutls.x86_64 0:2.8.5-10.el6_4.1 will be updated ---> Package gnutls.x86_64 0:2.8.5-13.el6_5 will be an update ---> Package grep.x86_64 0:2.6.3-3.el6 will be updated ---> Package grep.x86_64 0:2.6.3-4.el6_5.1 will be an update ---> Package grub.x86_64 1:0.97-81.el6 will be updated ---> Package grub.x86_64 1:0.97-83.el6 will be an update ---> Package grubby.x86_64 0:7.0.15-3.el6 will be updated ---> Package grubby.x86_64 0:7.0.15-5.el6 will be an update ---> Package gtk2.x86_64 0:2.18.9-12.el6 will be updated ---> Package gtk2.x86_64 0:2.20.1-4.el6 will be an update ---> Package gzip.x86_64 0:1.3.12-18.el6 will be updated ---> Package gzip.x86_64 0:1.3.12-19.el6_4 will be an update ---> Package hwdata.noarch 0:0.233-7.9.el6 will be updated ---> Package hwdata.noarch 0:0.233-9.1.el6 will be an update ---> Package initscripts.x86_64 0:9.03.38-1.el6.centos.1 will be updated ---> Package initscripts.x86_64 0:9.03.40-2.el6.centos.1 will be an update ---> Package iproute.x86_64 0:2.6.32-23.el6 will be updated ---> Package iproute.x86_64 0:2.6.32-31.el6 will be an update ---> Package iptables.x86_64 0:1.4.7-9.el6 will be updated ---> Package iptables.x86_64 0:1.4.7-11.el6 will be an update ---> Package iptables-ipv6.x86_64 0:1.4.7-9.el6 will be updated ---> Package iptables-ipv6.x86_64 0:1.4.7-11.el6 will be an update ---> Package iputils.x86_64 0:20071127-16.el6 will be updated ---> Package iputils.x86_64 0:20071127-17.el6_4.2 will be an update ---> Package irqbalance.x86_64 2:1.0.4-3.el6 will be updated ---> Package irqbalance.x86_64 2:1.0.4-8.el6_5 will be an update --> Processing Dependency: kernel >= 2.6.32-358.2.1 for package: 2:irqbalance-1.0.4-8.el6_5.x86_64 ---> Package iw.x86_64 0:0.9.17-4.el6 will be updated ---> Package iw.x86_64 0:3.10-1.1.el6 will be an update ---> Package kernel-headers.x86_64 0:2.6.32-358.2.1.el6 will be updated ---> Package kernel-headers.x86_64 0:2.6.32-431.11.2.el6 will be an update ---> Package krb5-devel.x86_64 0:1.10.3-10.el6_4.6 will be updated ---> Package krb5-devel.x86_64 0:1.10.3-15.el6_5.1 will be an update ---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.6 will be updated ---> Package krb5-libs.x86_64 0:1.10.3-15.el6_5.1 will be an update ---> Package libXcursor.x86_64 0:1.1.13-2.el6 will be updated ---> Package libXcursor.x86_64 0:1.1.13-6.20130524git8f677eaea.el6 will be an update ---> Package libXfont.x86_64 0:1.4.5-2.el6 will be updated ---> Package libXfont.x86_64 0:1.4.5-3.el6_5 will be an update ---> Package libblkid.x86_64 0:2.17.2-12.9.el6 will be updated ---> Package libblkid.x86_64 0:2.17.2-12.14.el6 will be an update ---> Package libcgroup.x86_64 0:0.37-7.1.el6 will be updated ---> Package libcgroup.x86_64 0:0.40.rc1-5.el6_5.1 will be an update ---> Package libcurl.x86_64 0:7.19.7-35.el6 will be updated ---> Package libcurl.x86_64 0:7.19.7-37.el6_4 will be an update ---> Package libgcj.x86_64 0:4.4.7-3.el6 will be updated ---> Package libgcj.x86_64 0:4.4.7-4.el6 will be an update ---> Package libgcrypt.x86_64 0:1.4.5-9.el6_2.2 will be updated ---> Package libgcrypt.x86_64 0:1.4.5-11.el6_4 will be an update ---> Package libnl.x86_64 0:1.1-14.el6 will be updated ---> Package libnl.x86_64 0:1.1.4-2.el6 will be an update ---> Package libpcap.x86_64 14:1.0.0-6.20091201git117cb5.el6 will be updated ---> Package libpcap.x86_64 14:1.4.0-1.20130826git2dbcaa1.el6 will be an update ---> Package libselinux.x86_64 0:2.0.94-5.3.el6 will be updated ---> Package libselinux.x86_64 0:2.0.94-5.3.el6_4.1 will be an update ---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6 will be updated ---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6_4.1 will be an update ---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6 will be updated ---> Package libselinux-utils.x86_64 0:2.0.94-5.3.el6_4.1 will be an update ---> Package libtiff.x86_64 0:3.9.4-9.el6_3 will be updated ---> Package libtiff.x86_64 0:3.9.4-10.el6_5 will be an update ---> Package libtiff-devel.x86_64 0:3.9.4-9.el6_3 will be updated ---> Package libtiff-devel.x86_64 0:3.9.4-10.el6_5 will be an update ---> Package libudev.x86_64 0:147-2.46.el6 will be updated ---> Package libudev.x86_64 0:147-2.51.el6 will be an update ---> Package libuuid.x86_64 0:2.17.2-12.9.el6 will be updated ---> Package libuuid.x86_64 0:2.17.2-12.14.el6 will be an update ---> Package libxml2.x86_64 0:2.7.6-12.el6_4.1 will be updated ---> Package libxml2.x86_64 0:2.7.6-14.el6 will be an update ---> Package libxml2-devel.x86_64 0:2.7.6-12.el6_4.1 will be updated ---> Package libxml2-devel.x86_64 0:2.7.6-14.el6 will be an update ---> Package logrotate.x86_64 0:3.7.8-16.el6 will be updated ---> Package logrotate.x86_64 0:3.7.8-17.el6 will be an update ---> Package lvm2.x86_64 0:2.02.98-9.el6 will be updated ---> Package lvm2.x86_64 0:2.02.100-8.el6 will be an update ---> Package lvm2-libs.x86_64 0:2.02.98-9.el6 will be updated ---> Package lvm2-libs.x86_64 0:2.02.100-8.el6 will be an update ---> Package mailx.x86_64 0:12.4-6.el6 will be updated ---> Package mailx.x86_64 0:12.4-7.el6 will be an update ---> Package man-pages-overrides.noarch 0:6.4.1-1.el6 will be updated ---> Package man-pages-overrides.noarch 0:6.5.3-1.el6_5 will be an update ---> Package mdadm.x86_64 0:3.2.5-4.el6 will be updated ---> Package mdadm.x86_64 0:3.2.6-7.el6 will be an update ---> Package module-init-tools.x86_64 0:3.9-21.el6 will be updated ---> Package module-init-tools.x86_64 0:3.9-21.el6_4 will be an update ---> Package net-snmp.x86_64 1:5.5-44.el6_4.4 will be updated ---> Package net-snmp.x86_64 1:5.5-49.el6_5.1 will be an update ---> Package net-snmp-devel.x86_64 1:5.5-44.el6_4.4 will be updated ---> Package net-snmp-devel.x86_64 1:5.5-49.el6_5.1 will be an update ---> Package net-snmp-libs.x86_64 1:5.5-44.el6_4.4 will be updated ---> Package net-snmp-libs.x86_64 1:5.5-49.el6_5.1 will be an update ---> Package net-snmp-utils.x86_64 1:5.5-44.el6_4.4 will be updated ---> Package net-snmp-utils.x86_64 1:5.5-49.el6_5.1 will be an update ---> Package nmap.x86_64 2:5.51-2.el6 will be updated ---> Package nmap.x86_64 2:5.51-3.el6 will be an update ---> Package nspr.x86_64 0:4.9.2-1.el6 will be updated ---> Package nspr.x86_64 0:4.10.2-1.el6_5 will be an update ---> Package nss.x86_64 0:3.14.0.0-12.el6 will be updated ---> Package nss.x86_64 0:3.15.3-6.el6_5 will be an update ---> Package nss-softokn.x86_64 0:3.12.9-11.el6 will be updated ---> Package nss-softokn.x86_64 0:3.14.3-9.el6 will be an update ---> Package nss-softokn-freebl.i686 0:3.12.9-11.el6 will be updated ---> Package nss-softokn-freebl.x86_64 0:3.12.9-11.el6 will be updated ---> Package nss-softokn-freebl.i686 0:3.14.3-9.el6 will be an update ---> Package nss-softokn-freebl.x86_64 0:3.14.3-9.el6 will be an update ---> Package nss-sysinit.x86_64 0:3.14.0.0-12.el6 will be updated ---> Package nss-sysinit.x86_64 0:3.15.3-6.el6_5 will be an update ---> Package nss-tools.x86_64 0:3.14.0.0-12.el6 will be updated ---> Package nss-tools.x86_64 0:3.15.3-6.el6_5 will be an update ---> Package nss-util.x86_64 0:3.14.0.0-2.el6 will be updated ---> Package nss-util.x86_64 0:3.15.3-1.el6_5 will be an update ---> Package ntpdate.x86_64 0:4.2.4p8-3.el6.centos will be updated ---> Package ntpdate.x86_64 0:4.2.6p5-1.el6.centos will be an update ---> Package ntsysv.x86_64 0:1.3.49.3-2.el6 will be updated ---> Package ntsysv.x86_64 0:1.3.49.3-2.el6_4.1 will be an update ---> Package numactl.x86_64 0:2.0.7-6.el6 will be updated ---> Package numactl.x86_64 0:2.0.7-8.el6 will be an update ---> Package openldap.x86_64 0:2.4.23-32.el6_4 will be updated ---> Package openldap.x86_64 0:2.4.23-34.el6_5.1 will be an update ---> Package openssh.x86_64 0:5.3p1-84.1.el6 will be updated ---> Package openssh.x86_64 0:5.3p1-94.el6 will be an update ---> Package openssh-clients.x86_64 0:5.3p1-84.1.el6 will be updated ---> Package openssh-clients.x86_64 0:5.3p1-94.el6 will be an update ---> Package openssh-server.x86_64 0:5.3p1-84.1.el6 will be updated ---> Package openssh-server.x86_64 0:5.3p1-94.el6 will be an update ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.1 will be updated ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.1 will be updated ---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be an update ---> Package parted.x86_64 0:2.1-19.el6 will be updated ---> Package parted.x86_64 0:2.1-21.el6 will be an update ---> Package perl.x86_64 4:5.10.1-130.el6_4 will be updated ---> Package perl.x86_64 4:5.10.1-136.el6 will be an update ---> Package perl-Archive-Extract.x86_64 1:0.38-130.el6_4 will be updated ---> Package perl-Archive-Extract.x86_64 1:0.38-136.el6 will be an update ---> Package perl-Archive-Tar.x86_64 0:1.58-130.el6_4 will be updated ---> Package perl-Archive-Tar.x86_64 0:1.58-136.el6 will be an update ---> Package perl-CPAN.x86_64 0:1.9402-130.el6_4 will be updated ---> Package perl-CPAN.x86_64 0:1.9402-136.el6 will be an update ---> Package perl-CPANPLUS.x86_64 0:0.88-130.el6_4 will be updated ---> Package perl-CPANPLUS.x86_64 0:0.88-136.el6 will be an update ---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.020-130.el6_4 will be updated ---> Package perl-Compress-Raw-Bzip2.x86_64 0:2.021-136.el6 will be an update ---> Package perl-Compress-Raw-Zlib.x86_64 1:2.020-130.el6_4 will be updated ---> Package perl-Compress-Raw-Zlib.x86_64 1:2.021-136.el6 will be an update ---> Package perl-Compress-Zlib.x86_64 0:2.020-130.el6_4 will be updated ---> Package perl-Compress-Zlib.x86_64 0:2.021-136.el6 will be an update ---> Package perl-Digest-SHA.x86_64 1:5.47-130.el6_4 will be updated ---> Package perl-Digest-SHA.x86_64 1:5.47-136.el6 will be an update ---> Package perl-ExtUtils-CBuilder.x86_64 1:0.27-130.el6_4 will be updated ---> Package perl-ExtUtils-CBuilder.x86_64 1:0.27-136.el6 will be an update ---> Package perl-ExtUtils-Embed.x86_64 0:1.28-130.el6_4 will be updated ---> Package perl-ExtUtils-Embed.x86_64 0:1.28-136.el6 will be an update ---> Package perl-ExtUtils-MakeMaker.x86_64 0:6.55-130.el6_4 will be updated ---> Package perl-ExtUtils-MakeMaker.x86_64 0:6.55-136.el6 will be an update ---> Package perl-ExtUtils-ParseXS.x86_64 1:2.2003.0-130.el6_4 will be updated ---> Package perl-ExtUtils-ParseXS.x86_64 1:2.2003.0-136.el6 will be an update ---> Package perl-File-Fetch.x86_64 0:0.26-130.el6_4 will be updated ---> Package perl-File-Fetch.x86_64 0:0.26-136.el6 will be an update ---> Package perl-IO-Compress-Base.x86_64 0:2.020-130.el6_4 will be updated ---> Package perl-IO-Compress-Base.x86_64 0:2.021-136.el6 will be an update ---> Package perl-IO-Compress-Bzip2.x86_64 0:2.020-130.el6_4 will be updated ---> Package perl-IO-Compress-Bzip2.x86_64 0:2.021-136.el6 will be an update ---> Package perl-IO-Compress-Zlib.x86_64 0:2.020-130.el6_4 will be updated ---> Package perl-IO-Compress-Zlib.x86_64 0:2.021-136.el6 will be an update ---> Package perl-IO-Zlib.x86_64 1:1.09-130.el6_4 will be updated ---> Package perl-IO-Zlib.x86_64 1:1.09-136.el6 will be an update ---> Package perl-IPC-Cmd.x86_64 1:0.56-130.el6_4 will be updated ---> Package perl-IPC-Cmd.x86_64 1:0.56-136.el6 will be an update ---> Package perl-Locale-Maketext-Simple.x86_64 1:0.18-130.el6_4 will be updated ---> Package perl-Locale-Maketext-Simple.x86_64 1:0.18-136.el6 will be an update ---> Package perl-Log-Message.x86_64 1:0.02-130.el6_4 will be updated ---> Package perl-Log-Message.x86_64 1:0.02-136.el6 will be an update ---> Package perl-Log-Message-Simple.x86_64 0:0.04-130.el6_4 will be updated ---> Package perl-Log-Message-Simple.x86_64 0:0.04-136.el6 will be an update ---> Package perl-Module-Build.x86_64 1:0.3500-130.el6_4 will be updated ---> Package perl-Module-Build.x86_64 1:0.3500-136.el6 will be an update ---> Package perl-Module-CoreList.x86_64 0:2.18-130.el6_4 will be updated ---> Package perl-Module-CoreList.x86_64 0:2.18-136.el6 will be an update ---> Package perl-Module-Load.x86_64 1:0.16-130.el6_4 will be updated ---> Package perl-Module-Load.x86_64 1:0.16-136.el6 will be an update ---> Package perl-Module-Load-Conditional.x86_64 0:0.30-130.el6_4 will be updated ---> Package perl-Module-Load-Conditional.x86_64 0:0.30-136.el6 will be an update ---> Package perl-Module-Loaded.x86_64 1:0.02-130.el6_4 will be updated ---> Package perl-Module-Loaded.x86_64 1:0.02-136.el6 will be an update ---> Package perl-Module-Pluggable.x86_64 1:3.90-130.el6_4 will be updated ---> Package perl-Module-Pluggable.x86_64 1:3.90-136.el6 will be an update ---> Package perl-Object-Accessor.x86_64 1:0.34-130.el6_4 will be updated ---> Package perl-Object-Accessor.x86_64 1:0.34-136.el6 will be an update ---> Package perl-Package-Constants.x86_64 1:0.02-130.el6_4 will be updated ---> Package perl-Package-Constants.x86_64 1:0.02-136.el6 will be an update ---> Package perl-Params-Check.x86_64 1:0.26-130.el6_4 will be updated ---> Package perl-Params-Check.x86_64 1:0.26-136.el6 will be an update ---> Package perl-Parse-CPAN-Meta.x86_64 1:1.40-130.el6_4 will be updated ---> Package perl-Parse-CPAN-Meta.x86_64 1:1.40-136.el6 will be an update ---> Package perl-Pod-Escapes.x86_64 1:1.04-130.el6_4 will be updated ---> Package perl-Pod-Escapes.x86_64 1:1.04-136.el6 will be an update ---> Package perl-Pod-Simple.x86_64 1:3.13-130.el6_4 will be updated ---> Package perl-Pod-Simple.x86_64 1:3.13-136.el6 will be an update ---> Package perl-Term-UI.x86_64 0:0.20-130.el6_4 will be updated ---> Package perl-Term-UI.x86_64 0:0.20-136.el6 will be an update ---> Package perl-Test-Harness.x86_64 0:3.17-130.el6_4 will be updated ---> Package perl-Test-Harness.x86_64 0:3.17-136.el6 will be an update ---> Package perl-Test-Simple.x86_64 0:0.92-130.el6_4 will be updated ---> Package perl-Test-Simple.x86_64 0:0.92-136.el6 will be an update ---> Package perl-Time-HiRes.x86_64 4:1.9721-130.el6_4 will be updated ---> Package perl-Time-HiRes.x86_64 4:1.9721-136.el6 will be an update ---> Package perl-Time-Piece.x86_64 0:1.15-130.el6_4 will be updated ---> Package perl-Time-Piece.x86_64 0:1.15-136.el6 will be an update ---> Package perl-core.x86_64 0:5.10.1-130.el6_4 will be updated ---> Package perl-core.x86_64 0:5.10.1-136.el6 will be an update --> Processing Dependency: perl-CGI for package: perl-core-5.10.1-136.el6.x86_64 ---> Package perl-devel.x86_64 4:5.10.1-130.el6_4 will be updated ---> Package perl-devel.x86_64 4:5.10.1-136.el6 will be an update ---> Package perl-libs.x86_64 4:5.10.1-130.el6_4 will be updated ---> Package perl-libs.x86_64 4:5.10.1-136.el6 will be an update ---> Package perl-parent.x86_64 1:0.221-130.el6_4 will be updated ---> Package perl-parent.x86_64 1:0.221-136.el6 will be an update ---> Package perl-version.x86_64 3:0.77-130.el6_4 will be updated ---> Package perl-version.x86_64 3:0.77-136.el6 will be an update ---> Package pixman.x86_64 0:0.26.2-5.el6_4 will be updated ---> Package pixman.x86_64 0:0.26.2-5.1.el6_5 will be an update ---> Package policycoreutils.x86_64 0:2.0.83-19.30.el6 will be updated ---> Package policycoreutils.x86_64 0:2.0.83-19.39.el6 will be an update ---> Package psmisc.x86_64 0:22.6-15.el6_0.1 will be updated ---> Package psmisc.x86_64 0:22.6-19.el6_5 will be an update ---> Package python.x86_64 0:2.6.6-36.el6 will be updated ---> Package python.x86_64 0:2.6.6-52.el6 will be an update ---> Package python-devel.x86_64 0:2.6.6-36.el6 will be updated ---> Package python-devel.x86_64 0:2.6.6-52.el6 will be an update ---> Package python-ethtool.x86_64 0:0.6-3.el6 will be updated ---> Package python-ethtool.x86_64 0:0.6-5.el6 will be an update ---> Package python-libs.x86_64 0:2.6.6-36.el6 will be updated ---> Package python-libs.x86_64 0:2.6.6-52.el6 will be an update ---> Package python-tools.x86_64 0:2.6.6-36.el6 will be updated ---> Package python-tools.x86_64 0:2.6.6-52.el6 will be an update ---> Package python-urlgrabber.noarch 0:3.9.1-8.el6 will be updated ---> Package python-urlgrabber.noarch 0:3.9.1-9.el6 will be an update ---> Package quota.x86_64 1:3.17-18.el6 will be updated ---> Package quota.x86_64 1:3.17-21.el6_5 will be an update ---> Package quota-devel.x86_64 1:3.17-18.el6 will be updated ---> Package quota-devel.x86_64 1:3.17-21.el6_5 will be an update ---> Package rpm.x86_64 0:4.8.0-32.el6 will be updated ---> Package rpm.x86_64 0:4.8.0-37.el6 will be an update ---> Package rpm-devel.x86_64 0:4.8.0-32.el6 will be updated ---> Package rpm-devel.x86_64 0:4.8.0-37.el6 will be an update ---> Package rpm-libs.x86_64 0:4.8.0-32.el6 will be updated ---> Package rpm-libs.x86_64 0:4.8.0-37.el6 will be an update ---> Package rpm-python.x86_64 0:4.8.0-32.el6 will be updated ---> Package rpm-python.x86_64 0:4.8.0-37.el6 will be an update ---> Package rsync.x86_64 0:3.0.6-9.el6 will be updated ---> Package rsync.x86_64 0:3.0.6-9.el6_4.1 will be an update ---> Package rsyslog.x86_64 0:5.8.10-6.el6 will be updated ---> Package rsyslog.x86_64 0:5.8.10-8.el6 will be an update ---> Package selinux-policy.noarch 0:3.7.19-195.el6_4.3 will be updated ---> Package selinux-policy.noarch 0:3.7.19-231.el6_5.1 will be an update ---> Package selinux-policy-targeted.noarch 0:3.7.19-195.el6_4.3 will be updated ---> Package selinux-policy-targeted.noarch 0:3.7.19-231.el6_5.1 will be an update ---> Package setup.noarch 0:2.8.14-20.el6 will be updated ---> Package setup.noarch 0:2.8.14-20.el6_4.1 will be an update ---> Package setuptool.x86_64 0:1.19.9-3.el6 will be updated ---> Package setuptool.x86_64 0:1.19.9-4.el6 will be an update ---> Package subversion.x86_64 0:1.6.11-9.el6_4 will be updated ---> Package subversion.x86_64 0:1.6.11-10.el6_5 will be an update ---> Package sudo.x86_64 0:1.8.6p3-7.el6 will be updated ---> Package sudo.x86_64 0:1.8.6p3-12.el6 will be an update ---> Package sysstat.x86_64 0:9.0.4-20.el6 will be updated ---> Package sysstat.x86_64 0:9.0.4-22.el6 will be an update ---> Package sysvinit-tools.x86_64 0:2.87-4.dsf.el6 will be updated ---> Package sysvinit-tools.x86_64 0:2.87-5.dsf.el6 will be an update ---> Package tkinter.x86_64 0:2.6.6-36.el6 will be updated ---> Package tkinter.x86_64 0:2.6.6-52.el6 will be an update ---> Package tzdata.noarch 0:2013b-1.el6 will be updated ---> Package tzdata.noarch 0:2014b-1.el6 will be an update ---> Package udev.x86_64 0:147-2.46.el6 will be updated ---> Package udev.x86_64 0:147-2.51.el6 will be an update ---> Package upstart.x86_64 0:0.6.5-12.el6 will be updated ---> Package upstart.x86_64 0:0.6.5-13.el6_5.3 will be an update ---> Package util-linux-ng.x86_64 0:2.17.2-12.9.el6 will be updated ---> Package util-linux-ng.x86_64 0:2.17.2-12.14.el6 will be an update ---> Package wget.x86_64 0:1.12-1.8.el6 will be updated ---> Package wget.x86_64 0:1.12-1.11.el6_5 will be an update ---> Package yum.noarch 0:3.2.29-40.el6.centos will be updated ---> Package yum.noarch 0:3.2.29-43.el6.centos will be an update ---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-14.el6 will be updated ---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-17.el6_5 will be an update ---> Package yum-utils.noarch 0:1.1.30-14.el6 will be updated ---> Package yum-utils.noarch 0:1.1.30-17.el6_5 will be an update --> Running transaction check ---> Package irqbalance.x86_64 2:1.0.4-8.el6_5 will be an update --> Processing Dependency: kernel >= 2.6.32-358.2.1 for package: 2:irqbalance-1.0.4-8.el6_5.x86_64 ---> Package p11-kit.x86_64 0:0.18.5-2.el6_5.2 will be installed ---> Package p11-kit-trust.x86_64 0:0.18.5-2.el6_5.2 will be installed ---> Package perl-CGI.x86_64 0:3.51-136.el6 will be installed ---> Package shared-mime-info.x86_64 0:0.70-4.el6 will be installed --> Finished Dependency Resolution Error: Package: 2:irqbalance-1.0.4-8.el6_5.x86_64 (updates) Requires: kernel >= 2.6.32-358.2.1 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest checkyum version 21.1
    It looks like this is because I use OVH and they use an annoying custom kernel. Any ideas?
    0
  • mctDarren
    [quote="bouvrie, post: 1615182">Please be so kind to publish how to recompile.
    From shell: yum update
    to make sure you have the updated openssl packages, then: /scripts/easyapache
    But if you are unsure about running such a major update to your server you should contact cPanel or an administration company to do it for you.
    0
  • egohost
    Re: OpenSSL Heartbleed Bug (< 1.0.1g) - Encryption keys at risk Currently cPanel on standard RELEASE level is distributed with OpenSSL 1.0.1e-fips 11 Feb 2013 There are no further updates as far as i can see when using the update options. I hope that very soon cPanel will update RELEASE with 1.0.1G or greater, or at least redist with the compile option -DOPENSSL_NO_HEARTBEATS. [COLOR="silver">- - - Updated - - - There is a full document here: http://heartbleed.com/
    0
  • cPanelMichael
    cPanel Security Team: Heartbleed Vulnerability Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f. This vulnerability allows an attacker to read 64 kilobyte chunks of memory from from servers and clients that connect using SSL through a flaw in the OpenSSL"s implementation of the heartbeat extension. What does this mean for cPanel servers? cPanel & WHM does not provide any copies of the OpenSSL library. The daemons and applications shipped with cPanel & WHM link to the version of OpenSSL provided by the core operating system. RedHat 6, CentOS 6, and CloudLinux 6 provided vulnerable versions of OpenSSL 1.0.1. All three distros have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors. To update any affected servers, run "yum update" to install the patched version of OpenSSL and restart all SSL-enabled services or reboot the system. You can ensure you are updated by running the following command: # rpm -q --changelog openssl | grep -B 1 CVE-2014-0160 * Mon Apr 07 2014 Tom"" Mr"z 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
    You should see the information noting the fix to CVE-2014-0160. RHEL/CentOS 5 servers, which are using the OpenSSL 0.9.8 RPM included in the official OS repositories, are not vulnerable to the Heartbleed issue since they are using an older version of OpenSSL that never contained this vulnerability. What steps do I need to take as an Admin/root of our servers running cPanel & WHM? Once the RPM of OpenSSL has been updated you should reset all certificates via the Manage Service SSL Certificates interface in WHM. Home " Service Configuration " Manage Service SSL Certificates You will need to click the "Reset Certificate" link for each service: FTP, Exim, cPanel/WHM/Webmail Service, and Dovecot or Courier Mail Server. You should also check the SSL certificates in the Manage SSL Hosts interface of WHM. Home " SSL/TLS " Manage SSL Hosts Many Certificate Authorities are helping their customers regenerate SSL certificates at no cost. This may vary and your Certificate Authority should be contacted prior to any actions to ensure the proper procedures are followed. Do we need to reset our passwords and regenerate our private and public keys on the server? Due to the nature of the vulnerability it is impossible to know what other information, including private keys, passwords, and session ID"s, has been compromised. The attack occurs before a full connection to your server has been made, leaving no indications in any logs that an attack has occurred. It is recommended that you regenerate all SSH keys and reset all passwords across the server.
    0
  • panayot
    I guess we should change root password if we logged in WHM:2087 before updating OpenSSL?
    0
  • cPanelDon
    [quote="Jorel, post: 1615532"> ... --> Finished Dependency Resolution Error: Package: 2:irqbalance-1.0.4-8.el6_5.x86_64 (updates) Requires: kernel >= 2.6.32-358.2.1 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest checkyum version 21.1
    It looks like this is because I use OVH and they use an annoying custom kernel. Any ideas?
    Try the suggestions in the output from YUM; for example: yum upgrade --skip-broken
    0
  • quizknows
    [quote="panayot, post: 1615912">I guess we should change root password if we logged in WHM:2087 before updating OpenSSL?
    Probably a good idea.
    0
  • serichards
    So is OpenSSL 1.0.1e-fips 11 Feb 2013 vulnerable or not? Some say yes, others say not. I have tried the heartbleed test but it gives me an error: Uh-oh, something went wrong: tls: oversized record received with length 20291 I have done yum update, the cpanel system and server software update and yum update again and it claims there are no packages available to update so this is the latest version it seems.
    0
  • quizknows
    FIPS does not mitigate this, so you're probably waiting on a patch from your OS vendor. What exact version of your OS are you running?
    0
  • panayot
    You can check exact version with: rpm -qa |grep openssl
    Answer for RHEL 6/Centos 6 should be: openssl-1.0.1e-16.el6_5.7.x86_64 openssl-devel-1.0.1e-16.el6_5.7.x86_64
    If your server is RHEL 5/Centos 5 then OpenSSL does not have the bug and its version would be something like openssl-0.9.8e
    0
  • goodmove
    [quote="cPanelMichael, post: 1615731">The patched OpenSSL 1.0.1 RPM has already been published to the RHEL 6 and CentOS 6 repositories, so the only steps that should be necessary to update these servers are to run "yum update" to install the updated version of OpenSSL and then either fully restart all SSL-enabled services, including sshd, or reboot the server.
    "yum update openssl" seems to be handling it: Updated: openssl.x86_64 0:1.0.1e-16.el6_5.7 Dependency Updated: openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 Do we need to do a full "yum update"? Norman
    0
  • serichards
    openssl-devel-1.0.1e-16.el6_5.7.x86_64 openssl-1.0.1e-16.el6_5.7.x86_64 Both checked a couple of hours ago and defined as the lastest.
    0
  • panayot
    [quote="goodmove, post: 1616061"> Do we need to do a full "yum update"? Norman
    No. that is enough. Just don't forget to restart: [LIST]
  • cpanel
  • httpd
  • exim
  • dovecot
  • pure-ftpd
  • mysql
  • any other services you might have installed that use ssl (like RAID controller managers)
  • 0
  • quizknows
    [quote="goodmove, post: 1616061">"yum update openssl" seems to be handling it: Updated: openssl.x86_64 0:1.0.1e-16.el6_5.7 Dependency Updated: openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 Do we need to do a full "yum update"? Norman
    That should handle it for this issue, but it's usually a good idea to make sure all your other RPMs are updated too. As others have stated, be sure to restart the appropriate services (or just reboot your server).
    0
  • Archmactrix
    Does apache needs to be recompiled after applying the patch?
    0
  • Venomous21
    Just want to confirm, if we are running CentOS 5.10, we are not vulnerable and no steps need to be applied? root@ [/var/log]# rpm -qa |grep openssl openssl-0.9.8e-27.el5_10.1 openssl-devel-0.9.8e-27.el5_10.1 openssl-0.9.8e-27.el5_10.1 openssl-devel-0.9.8e-27.el5_10.1 Thank you!
    0
  • panayot
    [quote="Venomous21, post: 1616102">Just want to confirm, if we are running CentOS 5.10, we are not vulnerable and no steps need to be applied? root@ [/var/log]# rpm -qa |grep openssl openssl-0.9.8e-27.el5_10.1 openssl-devel-0.9.8e-27.el5_10.1 openssl-0.9.8e-27.el5_10.1 openssl-devel-0.9.8e-27.el5_10.1 Thank you!
    Yes, that is correct. [QUOTE]Does apache needs to be recompiled after applying the patch?
    No, just stop/start
    0

Please sign in to leave a comment.