PDA

View Full Version : SLES-Other SLES 11 SP1 - upgrade OpenSSL tp 0.9.8za



warren_d
16-Jul-2018, 11:12
Trying to upgrade SLES 11 SP1 to use a certain version of OpenSLL e.g. 0.9.8za.
Let's assume I can't change service pack etc... and need this OpenSSL version due to security fixes.

1. Firstly download and extract OpenSSL e.g.

wget https://www.openssl.org/source/old/0.9.x/openssl-0.9.8za.tar.gz
tar zxvf openssl-0.9.8za.tar.gz
cd openssl-0.9.8za

2. Then build and deploy OpenSSL e.g

./Configure
make
make test
sudo make install

However this does not replace the original installed version of OpenSSL.
How to update the original installed version of OpenSSL?

I have considered either using e.g.

./config <options ...> --openssldir=/usr/local/ssl
As noted here
https://wiki.openssl.org/index.php/Compilation_and_Installation

Or simply replacing bin and lib with symbolic links to the new OpenSSL.

What is the correct/best way to do this?

Thanks in advance...

smflood
16-Jul-2018, 11:53
On 16/07/18 11:14, warren d wrote:

> Trying to upgrade SLES 11 SP1 to use a certain version of OpenSLL e.g.
> 0.9.8za.
> Let's assume I can't change service pack etc... and need this OpenSSL
> version due to security fixes.

Why can't you change Service Pack? SLES11 SP1 is now quite old with
SLES11 SP4 so if you're concerned about security fixes then you really
should upgrade to the latter (you will need to upgrade via each
intermediate SP) or SLES12 SP3/SLES15.

> 1. Firstly download and extract OpenSSL e.g.
>
> Code:
> --------------------
> wget https://www.openssl.org/source/old/0.9.x/openssl-0.9.8za.tar.gz
> tar zxvf openssl-0.9.8za.tar.gz
> cd openssl-0.9.8za
> --------------------
>
>
> 2. Then build and deploy OpenSSL e.g
>
> Code:
> --------------------
> ./Configure
> make
> make test
> sudo make install
> --------------------
>
>
> However this does not replace the original installed version of
> OpenSSL.
> How to update the original installed version of OpenSSL?
>
> I have considered either using e.g.
>
> Code:
> --------------------
> ./config <options ...> --openssldir=/usr/local/ssl
> --------------------
>
> As noted here
> https://wiki.openssl.org/index.php/Compilation_and_Installation
>
> Or simply replacing *bin *and *lib *with symbolic links to the new
> OpenSSL.
>
> What is the correct/best way to do this?
>
> Thanks in advance...

Which security vulnerabilities/fixes are you concerned with? Whilst the
version of OpenSSL within a particular release of SLES may appear to be
out-of-date SUSE backport security fixes from later versions of
applications into packaged earlier versions which are then supported by
SUSE. Rolling your own is not supported.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

warren_d
16-Jul-2018, 12:24
Why can't you change Service Pack? SLES11 SP1 is now quite old with
SLES11 SP4 so if you're concerned about security fixes then you really
should upgrade to the latter (you will need to upgrade via each
intermediate SP) or SLES12 SP3/SLES15.

Thanks for your reply @Simon.

It is a good question. My current understanding (right or wrong) is that the SLES and SP versions and controlled by one of our customers. So short of (of course) recommending they upgrade SP, then it has to for now remain as defined.


Which security vulnerabilities/fixes are you concerned with? Whilst the
version of OpenSSL within a particular release of SLES may appear to be
out-of-date SUSE backport security fixes from later versions of
applications into packaged earlier versions which are then supported by
SUSE. Rolling your own is not supported.

- Shellshock i.e. CVE-2014-6271 & CVE-2014-7169.
- Heartbleed as found in OpenSSL 0.9.8h
- Glibc Ghost as found prior to version 2.18

From the SUSE website it seems SLES11 SP1 doesn't have a specific patch for this (only LTSS). So trying to manually update.
https://www.suse.com/support/kb/doc/?id=7015702

smflood
16-Jul-2018, 12:59
On 16/07/18 12:34, warren d wrote:

> Thanks for your reply @Simon.
>
> It is a good question. My current understanding (right or wrong) is that
> the SLES and SP versions and controlled by one of our customers. So
> short of (of course) recommending they upgrade SP, then it has to for
> now remain as defined.

If you/they are concerned about security then you/they really should
upgrade - sticking (i.e. not upgrading) contradicts security concerns.

> - Shellshock i.e. CVE-2014-6271 & CVE-2014-7169.
> - Heartbleed as found in OpenSSL 0.9.8h
> - Glibc Ghost as found prior to version 2.18
>
> From the SUSE website it seems SLES11 SP1 doesn't have a specific patch
> for this (only LTSS). So trying to manually update.
> https://www.suse.com/support/kb/doc/?id=7015702

Given the nature of ShellShock SUSE made patches available for earlier
(unsupported) versions of SLES including SLES11 SP1 and they are
available as per the above TID 7015702 - see
https://download.suse.com/Download?buildid=nNXClbWqawg~ .

As per http://heartbleed.com/ and
https://www.suse.com/security/cve/CVE-2014-0160/ OpenSSL 0.9.8 is not
affected by Heartbleed (CBE-2014-0160).

For protection against glibc GHOST (CVE-2015-0235) you will either need
Long Term Service Pack Support for SLES11 SP1 or upgrade to at least
SLES11 SP4 - see https://www.suse.com/security/cve/CVE-2015-0235/ (which
was published whilst SLES11 SP3 was still under general support).

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------