Re: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x security vulnerabilities
On Wed, 2 Nov 2022 at 18:40, Jochen Bern wrote: > On 02.11.22 07:48, Turritopsis Dohrnii Teo En Ming wrote: > > I have 2 internet-facing CentOS 7.9 Linux servers in Europe. > > Are the patches available already? How do I patch OpenSSL on my CentOS > 7.9 > > Linux servers? > > CentOS 7 does not come with 3.0 versions of OpenSSL. (Not even available > from oft-used repos like EPEL, if I understand correctly, unlike with > CentOS 8.) > > https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md > > https://pkgs.org/search/?q=openssl > > If you installed it some other way, that "other way" would define how to > install updates ... or cleanly uninstall it so as to install a current > version from a different source. > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > I have just checked my internet facing CentOS 7.9 Linux server in Europe. [root@ns1 ~]# rpm -qa | grep openssl openssl-libs-1.0.2k-25.el7_9.x86_64 openssl-1.0.2k-25.el7_9.x86_64 openssl-devel-1.0.2k-25.el7_9.x86_64 I don't have OpenSSL 3.0.x installed. I am not affected by the said security vulnerabilities. Hooray! Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore
Re: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x security vulnerabilities
On 02.11.22 07:48, Turritopsis Dohrnii Teo En Ming wrote: I have 2 internet-facing CentOS 7.9 Linux servers in Europe. Are the patches available already? How do I patch OpenSSL on my CentOS 7.9 Linux servers? CentOS 7 does not come with 3.0 versions of OpenSSL. (Not even available from oft-used repos like EPEL, if I understand correctly, unlike with CentOS 8.) https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md https://pkgs.org/search/?q=openssl If you installed it some other way, that "other way" would define how to install updates ... or cleanly uninstall it so as to install a current version from a different source. Kind regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature
Re: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x security vulnerabilities
On Wed, 2 Nov 2022 at 18:38, Tomas Mraz wrote: > In general unless you've built and installed your own build of OpenSSL > you need to refer to the vendor of your operating system for patches. > > In particular the openssl packages in CentOS 7.9 are not affected given > they are 1.0.2 version and not 3.0.x version. > This is good news. I can sleep well. > > Tomas Mraz, OpenSSL > > On Wed, 2022-11-02 at 17:48 +1100, Turritopsis Dohrnii Teo En Ming > wrote: > > Subject: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x > > security vulnerabilities > > > > Good day from Singapore, > > > > I refer to the following posts. > > > > [1] OpenSSL Gives Heads Up to Critical Vulnerability Disclosure, > > Check Point Alerts Organizations to Prepare Now > > Link: > > > https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/ > > > > [2] 2022 OpenSSL vulnerability - CVE-2022-3602 - Spooky SSL > > Link: https://github.com/NCSC-NL/OpenSSL-2022 > > > > [3] VMware Response to CVE-2022-3602 and CVE-2022-3786: > > vulnerabilities in OpenSSL 3.0.x > > Link: > > > https://blogs.vmware.com/security/2022/11/vmware-response-to-cve-2022-3602-and-cve-2022-3786-vulnerabilities-in-openssl-3-0-x.html > > > > I have 2 internet-facing CentOS 7.9 Linux servers in Europe. > > > > Are the patches available already? How do I patch OpenSSL on my > > CentOS 7.9 Linux servers? > > > > Thank you. > > > > Regards, > > > > Mr. Turritopsis Dohrnii Teo En Ming > > Targeted Individual in Singapore > > Blogs: > > https://tdtemcerts.blogspot.com > > https://tdtemcerts.wordpress.com > > -- > Tomáš Mráz, OpenSSL > >
Re: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x security vulnerabilities
In general unless you've built and installed your own build of OpenSSL you need to refer to the vendor of your operating system for patches. In particular the openssl packages in CentOS 7.9 are not affected given they are 1.0.2 version and not 3.0.x version. Tomas Mraz, OpenSSL On Wed, 2022-11-02 at 17:48 +1100, Turritopsis Dohrnii Teo En Ming wrote: > Subject: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x > security vulnerabilities > > Good day from Singapore, > > I refer to the following posts. > > [1] OpenSSL Gives Heads Up to Critical Vulnerability Disclosure, > Check Point Alerts Organizations to Prepare Now > Link: > https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/ > > [2] 2022 OpenSSL vulnerability - CVE-2022-3602 - Spooky SSL > Link: https://github.com/NCSC-NL/OpenSSL-2022 > > [3] VMware Response to CVE-2022-3602 and CVE-2022-3786: > vulnerabilities in OpenSSL 3.0.x > Link: > https://blogs.vmware.com/security/2022/11/vmware-response-to-cve-2022-3602-and-cve-2022-3786-vulnerabilities-in-openssl-3-0-x.html > > I have 2 internet-facing CentOS 7.9 Linux servers in Europe. > > Are the patches available already? How do I patch OpenSSL on my > CentOS 7.9 Linux servers? > > Thank you. > > Regards, > > Mr. Turritopsis Dohrnii Teo En Ming > Targeted Individual in Singapore > Blogs: > https://tdtemcerts.blogspot.com > https://tdtemcerts.wordpress.com -- Tomáš Mráz, OpenSSL
