and it shows that CVE-2016-2107 & CVE-2016-2108 are patched:
- rpm -qa --changelog openssl | head -n8
* Mon May 02 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48.1
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
- fix CVE-2016-0799 - memory issues in BIO_printf
Both Centos 6 and 7 are using same openssl version 1.0.1e but you should know that Centos usually backport changes, upgrades, patches, bug fixes… Did you check your SSL with services like https://www.ssllabs.com/ssltest/? If you see any errors it could be bad/poor configuration on your server. I have Vmin on one of my test VPS and i got A+ rating but i did several changes with httpd and ssl conf because settings what you get by default are really bad.
I used to get A now I get F (especifically because of CVE-2016-2107, and it links to Filippo’s site). As mentioned in the original post, the tests taken were SSL labs AND Filippo (the heartbleed guy).
It could be just bad configuration in httpd and ssl. If you already did yum update then there is nothing left to download and update so probably you should check your httpd and ssl conf files.
And i’m telling you this is probably because of bad configuration in httpd and ssl conf files. Please check https://www.virtualmin.com/node/41221 and near the end you will see few of my post with suggestion about httpd and ssl. Dont forget to restart Apache.
Both Centos 6.8 (not sure for prior versions) and 7 are already patched for this so you should already have updated your openssl. Virtualmin doesnt have anything to do with this as they (Vmin) are pulling the updates from official repo plus i made another check right now from my test server and i got A+ rating. But please go to your experts and ask them what to do i’m sure they will help you better than this forum.
The folks at ServerFault (including the site’s moderator) seem to think this is because httpd is a custom version (virtualmin) with different linkages.
All documents regarding CVE-2016-2107 & CVE-2016-2108 mention that updating openSSL is the only method of patching. There is no mention that directives in the conf files can be responsible for this, even when openSSL is patched.
I know that the conf files have not changed (ossec automatically backs them up when they do change). The only thing that changed was external - the vulnerability was discovered.
You are going against experts and documented evidence, without pointing to anything else but your own opinion. I will wait for the virtualmin team to chime in.
ServerFault guys are wrong, Virtualmin was not using a custom version (to a degree that it changed the whole software).
I have found out after a few diggings that Nginx was the culprit and it is so stubborn to use the old SSL version. It is recommended to reconfigure/update or relink Nginx. Some forced reload Nginx and it’s dependencies and they got their SSL fixed.
I honestly have no idea how to configure an Nginx so I can’t guide you step by step. This is on assumption that you are using it.
Here are the other scenario, some people compiled their apache with an embedded openSSL, apache will keep on using the embedded one until you relink it
As for added info, I have my main server running on 7.0, no patching was ever done for the past 6 months with regards to Open SSL. No vulnerability warnings. My last 6.8 Centos was converted to a pure proxy server, no domain name to test.
Some people in serverfault buys reputation by getting people to click and upvote their comments.
Webmin is not using a customized version of Apache on exception to miniserv which is their compact apache server for webmin on port 10000.
I am using a Centos 6.8 before and no vulnerability appeared and got a B, B since I failed to turn off SSL2 and SSL3 then an A for disabling them. I am using "Let’s Encrypt Authority X3 " as my certificate. Perhaps you are using an invalid Certificate since they also checked the certificate and the cipher
I am using a Centos 6.8 before and no vulnerability appeared and got a B, B since I failed to turn off SSL2 and SSL3 then an A for disabling them.
Take a look at my last post in this topic https://www.virtualmin.com/node/41221, that settings are tested and if everything else is in order they should give you A+ rating.
