OpenSSL upgrade - CentOS 7

Question

I have a CentOS 7 installation running httpd-2.4.35 and openssl-1.0.2k, but due to vulnerability findings, I need to update OpenSSL to at lease 1.0.2s, preferably u. Unfortunately, I cannot find RPM for these packages, which would make it a lot simpler. I have tried to upgrade the using the tarball provided by OpenSSL but, although the installation works, httpd still uses Openssl-1.0.2k. It seems that I am not doing all the actions that the RPM installation is doing. Does anyone know if I can find this newer OpenSSL1.0.2 RPM packages somewhere or how to force httpd (installed via RPM) to use another version of OpenSSL?

Thanks!

Answer 1

If you are using OpenSSL 1.0.2k from the RPM package provided by CentOS 7, you are going to receive OpenSSL security updates via yum update until June 2024. Red Hat with RHEL 7, upstream of CentOS 7, is backporting security fixes. This means that there is no rebase to a new version such as 1.0.2s, but 1.0.2k will get a patch added resolving the security flaw. A recently active Red Hat community discussion is covering almost the same topic and referring to the same explanation.

Unfortunately you are not referring to a specific security flaw to provide a specific example. If you would like to know which RPM package fixes CVE-2020-1971, you can visit https://access.redhat.com/security/cve/cve-2020-1971 and figure out there, that errata RHSA-2020:5566 contains the fix, thus RPM package "openssl-1.0.2k-21.el7_9". And if you are e.g. on "openssl-1.0.2k-19.el7" (which can be figured out using e.g. rpm -q openssl), this indeed means you should apply updates using yum update.