Unsure which patch(es) to apply for DROWN
I'm a RHEL newbie.
We have some RHEL 6.7 servers.
I ran the DROWN-test.sh script and received the following result:
WARNING: The installed version of openssl (openssl-1.0.1e-42.el6.x86_64) is vulnerable to the general DROWN attack and should be upgraded.
See https://access.redhat.com/security/vulnerabilities/drown for more information.
Which DROWN patch or patches do I run to fix the vulnerability?
I'm unclear on which one I should use.
Thanks in advance.
Responses
We have 4 different RHEL 6.7 servers that all gave us the vulnerable warning. We just did "yum list openssl", and it told us that we were at openssl.x86_64 version 1.0.1e-42.el6_7.2, and that version 1.0.1e-42.el6_7.4 was available, so we just did a yum install on openssl.x86_64 and it upgraded us to version 1.0.1e-42.el6_7.4. After that we re-ran the DROWN-test.sh and it told us we were no longer vulnerable. Same solution worked on all our servers.
Guru
6827 points
See Red Hat's response/mitigation to CVE-2016-0800 with the Errata rpm links for any given version. And if you are not connected to either Red Hat directly, or do not have a satellite server but DO have a subscription, you can find the specific RPM you've identified from the previous link through Red Hat RPM search
(for others besides Mark Smith)--> At this link https://access.redhat.com/labs/drown/ is the Red Hat vulnerability checker which is this shell script https://access.redhat.com/labs/drown/DROWN-test.sh and the signature of that script is at this link: https://access.redhat.com/labs/drown/DROWN-test.sh.asc.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.