Hi, if you weren't aware, there is an announcement about an OpenSSL security issue on the Fedora announce list. Here's the post:
https://lists.fedoraproject.org/pipermail/announce/2014-June/003216.html
The updates referenced in the announcement are still in the process of being pushed out to mirrors. However, you can pull the updates directly from Fedora's koji instance if you don't want to wait:
For Fedora 19 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc19 yum localinstall openssl-1.0.1e-38.fc19.x86_64.rpm
For Fedora 20 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20 yum localinstall openssl-1.0.1e-38.fc20.x86_64.rpm
On Thu, Jun 05, 2014 at 01:28:51PM -0400, Paul W. Frields wrote:
Hi, if you weren't aware, there is an announcement about an OpenSSL security issue on the Fedora announce list. Here's the post:
https://lists.fedoraproject.org/pipermail/announce/2014-June/003216.html
The updates referenced in the announcement are still in the process of being pushed out to mirrors. However, you can pull the updates directly from Fedora's koji instance if you don't want to wait:
Corrections to make this a little easier:
For Fedora 19 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc19
yum localupdate openssl*-1.0.1e-38.fc19.x86_64.rpm
For Fedora 20 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20
yum localupdate openssl*-1.0.1e-38.fc20.x86_64.rpm
Also, keep in mind that if you have multilib packages installed, you may need to omit the --arch options above and do something like `yum localupdate openssl*rpm` instead to grab and update the additional packages.
On 05/06/14 19:38, Paul W. Frields wrote:
On Thu, Jun 05, 2014 at 01:28:51PM -0400, Paul W. Frields wrote:
Hi, if you weren't aware, there is an announcement about an OpenSSL security issue on the Fedora announce list. Here's the post:
https://lists.fedoraproject.org/pipermail/announce/2014-June/003216.html
The updates referenced in the announcement are still in the process of being pushed out to mirrors. However, you can pull the updates directly from Fedora's koji instance if you don't want to wait:
Corrections to make this a little easier:
For Fedora 19 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc19
yum localupdate openssl*-1.0.1e-38.fc19.x86_64.rpm
For Fedora 20 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20
yum localupdate openssl*-1.0.1e-38.fc20.x86_64.rpm
Also, keep in mind that if you have multilib packages installed, you may need to omit the --arch options above and do something like `yum localupdate openssl*rpm` instead to grab and update the additional packages.
Isn't openssl-libs missing?
On Thu, 05 Jun 2014 20:28:18 +0200, Erik P. Olsen wrote:
For Fedora 20 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20
yum localupdate openssl*-1.0.1e-38.fc20.x86_64.rpm
Also, keep in mind that if you have multilib packages installed, you may need to omit the --arch options above and do something like `yum localupdate openssl*rpm` instead to grab and update the additional packages.
Isn't openssl-libs missing?
No. It is part of the koji "build".
$ koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20 openssl-perl-1.0.1e-38.fc20.x86_64.rpm | 106 kB 00:00 !!! openssl-libs-1.0.1e-38.fc20.x86_64.rpm | 1.8 MB 00:01 !!! openssl-devel-1.0.1e-38.fc20.x86_64.rpm | 2.3 MB 00:01 !!! openssl-static-1.0.1e-38.fc20.x86_64.rpm | 1.9 MB 00:00 !!! openssl-1.0.1e-38.fc20.x86_64.rpm | 1.4 MB 00:01 !!!
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20
yum localupdate openssl*-1.0.1e-38.fc20.x86_64.rpm
A while ago someone posted this method which seems to work well enough and takes care of the dependencies without installing needless *-dev options. Basically you need to create the koji repo file and then use yum to download the needed rpms automatically.
/etc/yum.repos.d/koji.repo:
[koji] name=Koji Repo baseurl=http://koji.fedoraproject.org/repos/f$releasever-build/latest/$basearch/ enabled=0 skip_if_unavailable=1 gpgcheck=0
and then run:
yum install openssl --enablerepo=updates-testing,koji
-wolfgang
On 05/06/14 20:32, Michael Schwendt wrote:
On Thu, 05 Jun 2014 20:28:18 +0200, Erik P. Olsen wrote:
For Fedora 20 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20
yum localupdate openssl*-1.0.1e-38.fc20.x86_64.rpmAlso, keep in mind that if you have multilib packages installed, you may need to omit the --arch options above and do something like `yum localupdate openssl*rpm` instead to grab and update the additional packages.
Isn't openssl-libs missing?
No. It is part of the koji "build".
$ koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20 openssl-perl-1.0.1e-38.fc20.x86_64.rpm | 106 kB 00:00 !!! openssl-libs-1.0.1e-38.fc20.x86_64.rpm | 1.8 MB 00:01 !!! openssl-devel-1.0.1e-38.fc20.x86_64.rpm | 2.3 MB 00:01 !!! openssl-static-1.0.1e-38.fc20.x86_64.rpm | 1.9 MB 00:00 !!! openssl-1.0.1e-38.fc20.x86_64.rpm | 1.4 MB 00:01 !!!
Oh, I have both x86_64 and i686 version of openssl-libs installed and the i686 version is not in koji.
On Thu, 05 Jun 2014 21:26:42 +0200, Erik P. Olsen wrote:
Oh, I have both x86_64 and i686 version of openssl-libs installed and the i686 version is not in koji.
Of course it is!
Paul has mentioned that then you need to drop the "--arch=x86_64" option from the koji download command.
On 05/06/14 21:57, Michael Schwendt wrote:
On Thu, 05 Jun 2014 21:26:42 +0200, Erik P. Olsen wrote:
Oh, I have both x86_64 and i686 version of openssl-libs installed and the i686 version is not in koji.
Of course it is!
Paul has mentioned that then you need to drop the "--arch=x86_64" option from the koji download command.
Yes, I saw that but since openssl-libs is the only i686 version I had expected it to come with arch=x86_64 build. I am not familiar at all with the koji stuff.
On Thu, 05 Jun 2014 22:18:08 +0200, Erik P. Olsen wrote:
Oh, I have both x86_64 and i686 version of openssl-libs installed and the i686 version is not in koji.
Of course it is!
Paul has mentioned that then you need to drop the "--arch=x86_64" option from the koji download command.
Yes, I saw that but since openssl-libs is the only i686 version I had expected it to come with arch=x86_64 build. I am not familiar at all with the koji stuff.
In short: In the Fedora Build System - http://koji.fedoraproject.org/koji/ - a source RPM package is built for at least one target architecture. Hence for the openssl src.rpm there are separate build results for x86_64 and i686 (and any other primary archs that may have been configured). The builds for all architectures must succeed, or else the complete build job is considered a failed attempt.
In the package repositories, the i686 build of openssl-libs is published in the x86_64 repository by a repository compose tool ("mash"). It knows several strategies to determine which packages are to be put in a multiarch repository.
On Thu, Jun 05, 2014 at 01:28:51PM -0400, Paul W. Frields wrote:
Hi, if you weren't aware, there is an announcement about an OpenSSL security issue on the Fedora announce list. Here's the post:
https://lists.fedoraproject.org/pipermail/announce/2014-June/003216.html
The updates referenced in the announcement are still in the process of being pushed out to mirrors. However, you can pull the updates directly from Fedora's koji instance if you don't want to wait:
Corrections to make this a little easier:
For Fedora 19 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc19
yum localupdate openssl*-1.0.1e-38.fc19.x86_64.rpm
For Fedora 20 x86_64:
yum -y install koji koji download-build --arch=x86_64 openssl-1.0.1e-38.fc20
yum localupdate openssl*-1.0.1e-38.fc20.x86_64.rpm
Also, keep in mind that if you have multilib packages installed, you may need to omit the --arch options above and do something like `yum localupdate openssl*rpm` instead to grab and update the additional packages.
Thanks for this.
Is it sufficient simply to *install* (update) this package? Does anything need to be restarted in order for it to be fully effective? (I tend to reboot only once per month - but I will make an exception if necessary)
On Fri, 2014-06-06 at 15:34 +0100, Arthur Dent wrote:
Is it sufficient simply to *install* (update) this package? Does anything need to be restarted in order for it to be fully effective? (I tend to reboot only once per month - but I will make an exception if necessary)
OpenSSL is a library, so anything using it needs to be restarted. Use /usr/bin/needs-restarting if you're not sure.
poc
-
Arthur Dent -
Erik P. Olsen -
Michael Schwendt -
Patrick O'Callaghan -
Paul W. Frields -
Wolfgang S. Rupprecht