# OpenSSL to announce new "high" severity vulnerabilities on Thursday (2015-03-19)



## telephone (Mar 17, 2015)

Link: [openssl-announce] Forthcoming OpenSSL releases



> Forthcoming OpenSSL releases
> 
> ============================
> 
> ...


---

*Q.* What is classified as a high severity issue?
 

*A.* "This includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS, a significant leak of server memory, and remote code execution. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control, and significantly quicker if there is a significant risk or we are aware the issue is being exploited."


----------



## wlanboy (Mar 17, 2015)

At least they are aware of it.


----------



## telephone (Mar 19, 2015)

There were two "high" severity issues announced (one was a reclassification).

Link: OpenSSL Security Advisory
 



> OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
> =====================================================
> 
> Severity: High
> ...


----------



## rds100 (Mar 19, 2015)

Debian wheezy updated packages are already out, you can update.


----------



## mojeda (Mar 19, 2015)

rds100 said:


> Debian wheezy updated packages are already out, you can update.


They don't appear to have been updated to the version they suggest.


~# openssl version -v
OpenSSL 1.0.1e 11 Feb 2013

https://packages.debian.org/wheezy/openssl

Edit:

Nevermind it does appear that 1.0.1e in wheezy has been patched.



> openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
> 
> - Fix for CVE-2014-3571
> 
> ...


----------



## eva2000 (Mar 19, 2015)

I believe debian like centos doesn't show full openssl version info just 1.0.1e part


```
/usr/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013
```


```
apt-cache policy openssl
openssl:
  Installed: 1.0.1e-2+deb7u15
  Candidate: 1.0.1e-2+deb7u15
  Version table:
 *** 1.0.1e-2+deb7u15 0
        500 http://security.debian.org/ wheezy/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u13 0
        500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages
```


----------



## sv01 (Mar 19, 2015)

mojeda said:


> They don't appear to have been updated to the version they suggest.
> 
> 
> ~# openssl version -v
> ...


it's fixed

https://security-tracker.debian.org/tracker/CVE-2015-0291


Package: openssl
...
Version: 1.0.1e-2+deb7u15
...

OpenSSL 1.0.1e 11 Feb 2013


----------



## telephone (Mar 19, 2015)

mojeda said:


> They don't appear to have been updated to the version they suggest.
> 
> 
> ~# openssl version -v
> ...


Check the security page: https://security-tracker.debian.org/tracker/source-package/openssl

Here's the info on the reclassified RSA issue (fixed in Squeeze LTS and Wheezy Security): https://security-tracker.debian.org/tracker/CVE-2015-0204


----------



## centoslgd (Mar 19, 2015)

Has to be year of vulnerabilities & exploits & it is just march with 9 more months ahead.


----------



## centoslgd (Mar 20, 2015)

rds100 said:


> Debian wheezy updated packages are already out, you can update.





eva2000 said:


> I believe debian like centos doesn't show full openssl version info just 1.0.1e part
> 
> 
> /usr/bin/openssl version
> ...


Any package updates for CentOS out yet?


----------



## Licensecart (Mar 20, 2015)

eva2000 said:


> I believe debian like centos doesn't show full openssl version info just 1.0.1e part
> 
> 
> /usr/bin/openssl version
> ...


I use this:


```
[[email protected] ~]# rpm -qa | grep openssl
openssl-devel-1.0.1e-30.el6_6.5.x86_64
openssl-1.0.1e-30.el6_6.5.x86_64
[[email protected] ~]#
```


----------



## AnthonySmith (Mar 20, 2015)

I love the 'oh shit' tag


----------



## eva2000 (Mar 20, 2015)

centoslgd said:


> Any package updates for CentOS out yet?


not yet

luckily my Centmin Mod LEMP stack's Nginx uses static compiled OpenSSL version so updated that to 1.0.2a already for front facing web sites at least https://community.centminmod.com/threads/openssl-1-0-2a-1-0-1m-1-0-0r-0-9-8zf-coming-soon.2504/ 

now to wait on CentOS YUM packages updates.


----------



## wlanboy (Mar 21, 2015)

Don't forget to compile all those Phyton, Ruby, PHP bindings against openssl lib again.

One advantage if you use packages instead of compiling everything on your own.


----------



## weloveservers (Mar 30, 2015)

Worrying since more vulnerabilities are being found in 'enterprise' software, again. If heart-bleed weren't bad enough.


----------

