I am running a fedora 15 2.6.32-042stab081.3 x64, I have OpenSSL 1.0.0j-fips 10 May 2012 which I understand to not be infected.
However every test tool out there is reporting the site maybe vulnerable based on the age of the certificate. So while my system doesn’t need to be patched for this, the mass hysteria and panic suggests I should update so users are not presented with the site maybe insecure. by these “check tools”
However yum update, is offering nothing. I can’t see to find a newer rpm, so I’m at a loss of how to update openSSL? install from source?
Any advice or points would be a great help.
UPDATE :::
I have downloaded the source for openssl-1.0.1g and installed from source, however when running openssl version, it still reports the old version?
Answer
While this should be a non-issue on Fedoras earlier than 18, my Fedora 17 happened to get detected by some vulnerability scanner. You shouldn’t update your SSL version by hand, since it would make your another packages, like httpd stop working due to incorrect ABI.
What I did was rebuilding RPM packages without heartbeat support:
$ yum groupinstall rpmdevtools
$ yumdownloader --source openssl
$ rpm -ivh ./openssl*.src.rpm
$ nano ~/rpmbuild/SPECS/openssl.spec
--- replace a line like: Release: 1%{?dist}
--- with something like: Release: 1%(?dist}.heartbleed
--- replace a line like: RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack"
--- with something like: RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DOPENSSL_NO_HEARTBEATS"
$ rpmbuild -ba ~/rpmbuild/SPECS/openssl.spec
$ i386 rpmbuild -ba ~/rpmbuild/SPECS/openssl.spec # execute it only if on x86_64
$ rpm -Fvh ~/rpmbuild/RPMS/*/openssl*.rpm
Attribution
Source : Link , Question Author : Shaun Forsyth , Answer Author : czaks
