OpenSSL heartbleed vulnerability with Nagios XI

[RIDS_I2MP]

Hello Members,

We have created 5 VM's with CentOS release 6.4 (Final) for Nagios XI with the same image.

We have used only one server for our POC which is currently having OpenSSL 1.0.1e-fips 11 Feb 2013 which has the heartbleed vulnerability.

Rest of the VM's are having OpenSSL 1.0.0-fips 29 Mar 2010 as we have not installed anything on it.

Our Unix Admins have raised a concern that Nagios Full-install script is upgrading the OpenSSL version from OpenSSL 1.0.0-fips 29 Mar 2010 to OpenSSL 1.0.1e-fips 11 Feb 2013.

We are using Nagios XI version Nagios XI 2012R2.8c.

Please confirm of the script is doing the same and if yes how to solve the issue.

Please also suggest if the script is upgrading OpenSSL,do we have another version which will not do the same.

[abrist]

I just spun up a 6.4 box, installed XI, and then updated openssl. I am now on 1.01e-16. What repos are you using?

[sreinhardt]

You are correct, the full install will upgrade any and all packages that are available for update. I am not sure if 6.4 contains the heartbleed fix or not. I do know that since they do not change version numbers, you would be looking for openssl-1.0.1e-16 or newer. Specifically that -16 is saying that it has 16 patches backported since the major version was included. You could also exclude openssl and openssl-devel from being upgraded in your yum configs, but that is not suggested as other things might be depending on newer functionality.

You should find more information here, that indicates 6.4 is in fact patched with the newest versions. http://www.centosblog.com/critical-open ... os-system/