openssl security vulnerability (heartbleed) notes

Posted on by tillmaas

Update:

The updated package should now be available via yum update openssl\*. Please do not forget to restart your system after you installed them. The manual installation process described below should not be necessary anymore.

Please be a aware that the instructions to update openssl given for example in
Fedora
Magazine are incomplete. I recommend the following steps (All yum commands
need to run as root, all commands need to be specified on one line):

# Ensure that koji is installed
yum -y install koji
# Download the required packages (these are more RPMs than
# you might need):
# Fedora 19:
koji download-build --key=fb4b18e6 --arch=x86_64 --arch=i686 openssl-1.0.1e-37.fc19.1
# Fedora 20:
koji download-build --key=246110c1 --arch=x86_64 --arch=i686 --arch=armv7hl openssl-1.0.1e-37.fc20.1
# Verify that the RPMs are good, this needs to return lines
# like:
# openssl-1.0.1e-37.fc19.1.i686.rpm: rsa sha1 (md5) pgp md5 OK
# If a line does not contain pgp md5 OK, try to download the
# files again
rpm --checksig *.rpm
# Now get a list of all currently installed openssl
# packages:
yum list installed openssl\*
# This outputs lines starting like:
# openssl-libs.x86_64 1:1.0.1e-37.fc19 @updates
# For each line you need to install a new package, e.g. if
# the line starts with "openssl-libs.x86_64", you need to
# add the file
# openssl-libs-1.0.1e-37.fc19.1.x86_64.rpm
# to the following command:
yum install openssl-libs-1.0.1e-37.fc19.1.x86_64.rpm
# Install all necessary packages at once to avoid dependency
# problems.
# After everything is installed, reboot your system
# (recommended) or restart the necessary programs
# Use needs-restarting to identify these programs:
yum install -y yum-utils
needs-restarting

Published by tillmaas

4 thoughts on “openssl security vulnerability (heartbleed) notes”

  1. You can just do ‘yum update *.rpm’ after downloading the packages, and yum will sort it out (only update what you have installed). It checks the sigs, too.

    1. yum does not check signatures for locally installed RPMs for a while now. See localpkg_gpgcheck in man yum.conf. But letting it sourt out the necessary RPMs sounds good.

  2. I am not following your fix on this page. when I run the yum install it says Package already installed and latest version Nothing to do. so there is a step I am missing here. but thank you for sharing the page.

    1. The updates are now also distributed via the regular update system, probably you installed them already from there.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s