Facebook
TwitterVersion: 11.5.30 CentOS 5 115140407.17
On CentOS 5 only, nginx is statically compiled by Parallels against a vulnerable version of OpenSSL:
# strings /usr/sbin/nginx | grep configure
configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-ipv6 --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --with-openssl=/home/builder/buildbot/nginx-1.5.0-bcos5/build/nginx/work/openssl-0.9.8y --with-openssl-opt='enable-tlsext zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-shared -fpic'
The OpenSSL team states "OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za." even though there has not yet been a demonstratable exploit if the server side (nginx being a server in this case) is not version 1.0.1 or 1.0.2-beta1. Parallels support and security team have rejected the OpenSSL team's recommendation and do not consider this an issue because no one has produced an exploit yet where the server is using 0.9.8, so they refused to either update nginx or release a dynamically linked version like what they do for the CentOS 6 version.
So... if you'd like to wait for an exploit to occur, you're in good hands with Parallels.
Oh yeah, you're also going to fail PCI scans because of this.
On CentOS 5 only, nginx is statically compiled by Parallels against a vulnerable version of OpenSSL:
# strings /usr/sbin/nginx | grep configure
configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-ipv6 --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --with-openssl=/home/builder/buildbot/nginx-1.5.0-bcos5/build/nginx/work/openssl-0.9.8y --with-openssl-opt='enable-tlsext zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-shared -fpic'
The OpenSSL team states "OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za." even though there has not yet been a demonstratable exploit if the server side (nginx being a server in this case) is not version 1.0.1 or 1.0.2-beta1. Parallels support and security team have rejected the OpenSSL team's recommendation and do not consider this an issue because no one has produced an exploit yet where the server is using 0.9.8, so they refused to either update nginx or release a dynamically linked version like what they do for the CentOS 6 version.
So... if you'd like to wait for an exploit to occur, you're in good hands with Parallels.
Oh yeah, you're also going to fail PCI scans because of this.
Last edited:
) - so that shall help with PCI scan problem