Why do I get different openssl versions?
I'm trying to check if I running the latest OpenSSL version, my main concern is the heartbleed bug.
I tried 2 commands:
openssl version
-
yum info openssl
openssl version
outputOpenSSL 1.0.1e-fips 11 Feb 2013
yum info openssl
outputInstalled Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.14
...
I have a couple of questions:
- Why do I get different versions from these 2 commands?
- How do I check the heartbleed vulnerability without having the 443 port open?
The name of the RPM package is simply not the same as the version the software itself returns.
One of the reasons for that is Red Hat & CentOS backports security updates and bug fixes to the software version that was initially shipped. They take a fix for a security flaw out of the most recent version of an upstream software package i.e. openssl 1.0.1h and apply that fix to an older version of the package was distributed : i.e. openssl 1.0.1e. That policy is the reason for a patch level string in the package name in addition to the software version number.
The version output of the openssl version
command remains unchanged 1.0.1e regardless of your actual patch level.
rpm -q --changelog openssl
shows which updates the package maintainer has included in the version you have currently installed.
The most current version shows:
* Mon Jun 02 2014 Tom Mraz <tmraz redhat.com> 1.0.1e-16.14
- fix CVE-2010-5298 - possible use of memory after free
- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment
- fix CVE-2014-0198 - possible NULL pointer dereference
- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability
- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH
* Mon Apr 07 2014 Tom Mraz <tmraz redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension