URGENT - Hotfix required all versions due to openssl upgrade

[105547111]

Fedora, Redhat and Centos so far are all effected by a update to openssl.

As the update is done due to CVE exploits, we need patches quickly please.

For Fedora 11, its openssl-0.9.8k-5 to openssl-0.9.8n1

Other OS please list them here so we can got them fixed.

Can future binaries not be hard coded to specific versions, as this leads to disaster!

There seems to be a few - one is psa-proftpd:

Mar 27 23:37:38 server proftpd[21498]: mod_tls/2.4.1: compiled using OpenSSL version 'OpenSSL 0.9.8k-fips 25 Mar 2009' headers, but linked to OpenSSL version 'OpenSSL 0.9.8n-fips 24 Mar 2010' library

Also if you disable tls proftpd comes up but panel is still dead:

/var/log/sw-cp-server/error_log, which is practically useless says:

2010-03-27 06:04:06: (log.c.75) server started
2010-03-27 06:04:06: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
2010-03-27 06:04:06: (log.c.75) server started
2010-03-27 06:04:06: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
2010-03-27 06:06:02: (log.c.75) server started
2010-03-27 06:06:02: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
2010-03-27 06:06:02: (log.c.75) server started
2010-03-27 06:06:02: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
2010-03-27 06:08:02: (log.c.75) server started
2010-03-27 06:08:02: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
2010-03-27 06:08:02: (log.c.75) server started
2010-03-27 06:08:02: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)

 

[nedry]

Yes, a quick fix would be nice. Since updating CentOS 5.4 I can no longer access my Plesk Control Panel.

# service psa status
psa dead but subsys locked

 

[nedry]

I was able to get my control panel working again by downgrading openssl, mod_ssl and httpd.
I've only tried this with Plesk 9.3 in CentOS 5.4.

# yum downgrade openssl* mod_ssl* httpd*
# service sw-cp-server restart
# service httpd restart

 

[JoshH]

yum downgrade does not exist

On my CentOS 4.8 box, my yum does not appear to support the "downgrade" option.. or am I missing something?

What can I do to fix this issue?

 

[105547111]

For a VERY short period until updates start breaking as your running the old exploitable openssl. All future updates are now based on the new libraries things will start to break.

 

[raz3k]

urgent help needed

I need an URGENT fix, BTW:

Dependencies Resolved

===========================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================
Installing:
openssl i686 0.9.8e-12.el5_4.1 updates 1.4 M
openssl x86_64 0.9.8e-12.el5_4.1 updates 1.4 M
Removing:
openssl i686 0.9.8e-12.el5_4.6 installed 3.3 M
openssl x86_64 0.9.8e-12.el5_4.6 installed 3.4 M
Removing for dependencies:
SSHTerm noarch 0.2.2-9.278624 installed 4.9 M
mod_ssl x86_64 1:2.2.3-31.el5.centos.4 installed 179 k
psa x86_64 9.3.0-cos5.build93091230.06 installed 31 M



it will remove ALL plesk!

 

[raz3k]

Quick fix for you guys who can't downgrade with yum (as in my case) CentOS 5.4 x86_64

mkdir /root/fix;cd /root/fix

ftp://ftp.iasi.roedu.net/mirrors/centos.org/5.4/updates/x86_64/RPMS/

and get from there:

httpd-2.2.3-31.el5.centos.2.x86_64.rpm
httpd-devel-2.2.3-31.el5.centos.2.i386.rpm
httpd-devel-2.2.3-31.el5.centos.2.x86_64.rpm
mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm
openssl-0.9.8e-12.el5_4.1.i686.rpm
openssl-0.9.8e-12.el5_4.1.x86_64.rpm


after which:
cd /root/fix;rpm -Uhv *.rpm --oldpackage

pray to god, then /etc/init.d/sw-cp-server start;/etc/init.d/httpd restart

and it should be fixed for now.... until parallels will fix this, hopefully the next year.........

 

[105547111]

Download the older version of OpenSSL and put into /root

then as root

rpm -Uvh --oldpackage nameofpackage.rpm

if it complains about OpenSSL-devel being a dependency, then

yum remove openssl-devel

then run the rpm again.

You must have a early version of yum downgrade is only from later yum

 

[HostingA]

solved

Acabo de solucionar el mismo problema en un vps:

http://hostingaldescubierto.com/wordpress/2010/03/29/alerta-no-actualizar-servidores-plesk-9-3-a-openssl-0-9-8e-12-el5_4-6/



En caso de estar usando un vps puede realizar los siguientes pasos:


rpm –erase –nodeps openssl-0.9.8e-12.el5_4.6

puede encontrarse con este error si usa arquitectura x86_65

rpm –erase –nodeps openssl-0.9.8e-12.el5_4.6
error: “openssl-0.9.8e-12.el5_4.6″ specifies multiple packages

En este caso proceder la manera siguiente:

rpm –erase openssl-0.9.8e-12.el5_4.6.x86_64 –nodeps
rpm –erase openssl-0.9.8e-12.el5_4.6 –nodeps

y para instalar la versión válida:

vzpkg install VEID -p openssl-0.9.8e-12.el5_4.1.x86_64

o descargar el rpm e instalar dentro del vps

cd /usr/src
wget ftp://ftp.pbone.net/mirror/ftp.cent..._64/RPMS/openssl-0.9.8e-12.el5_4.1.x86_64.rpm
rpm -ivh openssl-0.9.8e-12.el5_4.1.x86_64.rpm

y reiniciar el servicio


/etc/init.d/sw-cp-server restart

 

[andi_t]

CentOS 5.4 RPM name that also breaks Plesk Panel 9.3.0:
openssl.i686 0:0.9.8e-12.el5_4.6

 

[IgorG]

WORKAROUND:

Downgrade openssl, mod_ssl and httpd. E.g. for CentOS 5 x86 it will be:

wget http://mirrors.kernel.org/centos/5/updates/i386/RPMS/openssl-0.9.8e-12.el5_4.1.i686.rpm
wget http://mirrors.kernel.org/centos/5/os/i386/CentOS/mod_ssl-2.2.3-31.el5.centos.i386.rpm
wget http://mirrors.kernel.org/centos/5/os/i386/CentOS/httpd-2.2.3-31.el5.centos.i386.rpm

rpm -Uhv --force openssl-0.9.8e-12.el5_4.1.i686.rpm mod_ssl-2.2.3-31.el5.centos.i386.rpm httpd-2.2.3-31.el5.centos.i386.rpm

For CentOS 5 x86_64:

# wget -c http://mirrors.kernel.org/centos/5/updates/x86_64/RPMS/{openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# rpm -Uvh --oldpackage {openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# /etc/init.d/sw-cp-server start

 

[breun]

'yum downgrade' is not a standard yum command, but only available when the yum-allowdowngrade package is installed (not available on EL4). Manually downloading the packages and using rpm with the --oldpackage flag will also work.

 

[Michael MacDonald]

Rhel4

I am running new versions:

openssl-0.9.7a-43.17.el4_8.5
mod_ssl-2.0.52-41.ent.7
httpd-2.0.52-41.ent.7

Plesk control panel does not start.

What versions of each of these do I need to run for RHEL4?

 

[thewolf]

WORKAROUND:

Downgrade openssl, mod_ssl and httpd. E.g. for CentOS 5 x86 it will be:


For CentOS 5 x86_64:

Hi IgorG,

Thank you for the workaround, but it's not a good idea to downgrade to software known to contain vulnerabilities.
When is Parallels going to release a hotfix?

 

[IgorG]

Right, downgrade is not good idea, but you can start your broken Plesk at least. Bugreport already submitted and developers are working on it right now. I hope that solution will be published soon.

 

[Michael MacDonald]

I am thinking about applying only openssl-0.9.7a-43.17.el4_7.2.i386.rpm. Do I also have to downgrade mod_ssl and httpd rpms for this to work?

 

[Michael MacDonald]

The easiest fix is to temporarily disable SSL requirement for Plesk to start. This breaks security on the Plesk panel, but gets the panel back up and going.
To do this, open /etc/sw-cp-server/applications.d/plesk.conf, comment out (Add a #) the line that says "Include_shell "...ssl_conf.sh".
Then restart PSA via /etc/init.d/sw-cp-server start

 

[HostaHost]

12 hours later, any update on this? We have multiple servers now down because we've been left with only the choice of use a vulnerable openssl or turn the plesk interface off.

 

[105547111]

Just openssl that is the ONLY package.

Else your opening up even more exploits!

 

[sergius]

http://kb.odin.com/en/8338 - it's just clarifications for known workaround.

Sorry for the inconvenience, Gentlemen.