As you might have seen on the OpenSSL update stream and new update for OpenSSL was release to address the SSL/TLS MITM vulnerability.
As stated in the update stream:
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
As you might know its a bit hard to know what version of OpenSSL needs to be installed on CentOS to make sure you are covered.
Looking at the RedHat update stream site and then the actual Bug Report you can see that the version we need is
openssl 1.0.1e-16.el6_5.14
So simply log into your server and run the following commands making sure you install version 1.0.1e-16.el6_5.14
yum clean all
yum check update
yum install openssl
SOLVED: CentOS OpenSSL SSL/TLS MITM vulnerability – Virtualmin – Update Version 1.0.1e-16.el6_5.14 – (CVE-2014-0224)
The report clearly tells all users on openssl 1.0.1 to upgrade to 1.0.1h
“OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h”
^
So why are you telling them openssl 1.0.1e-16.el6_5.14 is okay?
^
See the ‘e’ there?