Please could I ask if it would break anything within interworx if we were to update openssl.
Our server is running centos 6.3 64 bit and the only thread I coudl find is http://forums.interworx.com/showthread.php?t=1113&highlight=openssl
The reason why I am looking into this, is because our SSL shows 2 vulnerablilities when checked using an external SSL checker, and I would prefer to close these.
This server is vulnerable to the CRIME attack (more info)
This server is vulnerable to the BEAST attack (more info)
which relates to the following
BEAST attack Vulnerable INSECURE (more info) CompressionYes INSECURE (more info)
Any help would be appreciated
I know I know, I am a gravedigger But I am also lazy and since I couldn’t find anything more recent on the forums, I resurrected this thread - Hi John !
So, regarding manually updating OpenSSL, I know how to do it resp. have done it in the past., What I would like to know or understand is the update process of Nodeworx. There have been so many attacks linked to OpenSSL in the past years, that updating OpenSSL asap turned out to be crucial.
But updates like OpenSSL are lagging way behind (A few days ago 1.0.1e was installed via CentOS-6 - Updates, the latest release versions are 1.0.2g resp. 1.0.1s) Or am I misinterpreting the version numbering?
I think those packages are maintained by CentOS, so it’s not Interworx fault they are so out-of-date, am I right?
How are others handling this? Are you reading security bulletins on a daily basis and do all security related patches within hours? Or is there a repository, that “pushes” security patches and that we could use?
I hope all’s well
That’s a good question and for myself I leave to OS updates unless it’s critical
You are correct and it is not in the power of interworx to update these packages
Your numbering is correct but I think for different version of distro
1.0.1e is only receiving security updates until towards end of December 2016
RHEL completes the update for centos I thought
I’m sure there will be updated to 1.0.2 before expiry of security updates to 1.0.1e
Whilst 1.0.1e may appear old, in reality it contains the fixes or the flaws are not applicable due to certain features not been active (I hope that makes sense sorry as I know what I want to say, just a little tired)
It is the repository checks which push the OpenSSL updates out, and if left to OS updates, will check everyday, but you could manually update if anything critical arose
I hope that helps and look forward to other views