openssl: which version to upgrade to

Latest response

Hi,

I have been asked to upgrade a RHEL 6.4 server's openssl package from openssl-1.0.0-27.el6 to openssl-1.0.1m.

I have worked out that the request is based on the OpenSSL Software Foundation versions rather than the Red Hat ones.
I have done a fair bit of browsing, both here and elsewhere, but I cannot find a specific latest (and secure) version for RHEL 6.4, all I find are errata pages that just list the openssl version for RHEL 6.
I have downloaded the 6.4 installation ISO and checked, it contains the same version as my server has, I have also looked on the CentOS mirror site and the 6.4 tree shows the same version.

My question is:

Is there a latest version specifically for RHEL 6.4 or do I go with the latest version for RHEL 6  ?

Part of my hesitation to go for the latter is that it's quite a jump and I am concerned that it might introduce incompatibilities, but maybe I'm just being overly cautious.
Another piece of my confusion is whether a version of RHEL (i.e. 6.4) that is shipped with an openssl in the 1.0.0 branch should stay in that branch and not stray out into the 1.0.1 branch ... if that makes any sense?

Yours appreciatively,

Nick

Responses

Do you need to keep running 6.4, or can you update the system to the current 6.x release (6.7)? If you can update, simply applying all current RHEL 6.x updates & errata will get you to openssl 1.0.1e-42.el6.x86_64. That package contains all of the security patches from "upstream" (up to OpenSSL 1.0.1p and 1.0.2d) which Red Hat has determined are applicable to the older 1.0.1e code.

If you need to stay on RHEL 6.4 for some reason (3rd-party application support, or a strict security-patches-only policy, for example), the "EUS" (Extended Update Support) version 6.4.z might be more appropriate. I'm not sure what version of OpenSSL is in that channel (if they stayed on 1.0.0, or followed the 're-base' to 1.0.1e as RHEL 6.5+ did) - but in any case, just dropping OpenSSL 1.0.1m on the system would be a Bad Thing(tm), as it will put you into an unsupported & inconsistent configuration of your Red Hat system (and require you to manually update to each subsequent OpenSSL package release, thus defeating the point of running Red Hat Enterprise Linux in the first place).

If your upgrade directive is based on a specific security issue (one or more CVEs), you can use the "rpm -q --changelog openssl" command to find out which CVEs are covered by the specific openssl package currently installed on your system (both before & after updating to a current, Red Hat-supported version of the package).

tl;dr version:

-you are right, RHEL patches don't work they way your management/security auditors think

  • ideally, you should 'yum update' to RHEL 6.7 (current), which has openssl-1.0.1e plust all current, applicable security fixes from later versions

  • failing that, you should get the (extra-cost) EUS subscription, then configure for the "6.4.z" base channel & "yum update" to current patches for RHEL 6.4.

Hi James Nauer,

Thanks for your answer, just the information and wording that I need, I have used this information in the growing e-mail thread around this discussion.

Interestingly, I've had a reply from Red Hat support on a case that I raised for this - I'm not trying to be a scatter-gun poster, I only found this forum after raising the call and thought this would be quicker - anyway, the reply from support was just to go ahead and install openssl-1.0.1e-42.el6.x86_64.rpm, they made no mention about making the system inconsistent and unsupported. This somewhat worries me because a colleague, who is Red Hat certified, also made similar points to yours. I have rephrased my question to support and bounced it back at them.

Best regards,

Nick

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.