Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update of libssl #737

Closed
mdicss opened this issue Jan 19, 2024 · 5 comments
Closed

Update of libssl #737

mdicss opened this issue Jan 19, 2024 · 5 comments
Assignees
@markuslf
Labels
enhancement New feature or request
Milestone
M005

Comments

@mdicss
Copy link

mdicss commented Jan 19, 2024

Describe the solution you'd like

Hi
A security-scan of our icinga installation reported a problem with libssl.so.10, which is included in the _internal folder of the compiled plugins.
See:
https://cve.org/CVERecord?id=CVE-2022-1292
http://www.nessus.org/u?d5a8df0f
It would be good, to have a new release of the plugins with the libssl updated to the newest version.
Regards, Matthias

Additional context

No response
@mdicss mdicss added the enhancement New feature or request label Jan 19, 2024
@markuslf
Copy link
Member

Thank you for your report. Can you provide these details as well?

Which variant of the Monitoring Plugins do you use?

  • .rpm/.deb package from repo.linuxfabrik.ch
  • Compiled for Linux (.tar/.zip from download.linuxfabrik.ch)

Plugin Version

  • Result of plugin-name --version (output e.g. about-me: v2023010603 by Linuxfabrik GmbH, Zurich/Switzerland)

@mdicss
Copy link
Author

mdicss commented Jan 22, 2024
edited

Hi Markus
We use the compiled version for linux. I've just seen, that we actually have version v2023112901 but on some observed machines, we still have v2022071801. So I think, you already have updated the libssl in the new plugin release?

It looks like the same library version. I used the following command and the output is the same with both versions, also the filesize is the same.

$ strings libssl.so.10 | grep "1.0"
OPENSSL_1.0.1
OPENSSL_1.0.1_EC
OPENSSL_1.0.2
SSLv3 part of OpenSSL 1.0.2k-fips 26 Jan 2017
TLSv1 part of OpenSSL 1.0.2k-fips 26 Jan 2017
DTLSv1 part of OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL 1.0.2k-fips 26 Jan 2017
libssl.so.1.0.2k.debug

@markuslf
Copy link
Member

We'll have a look, thank you.

@markuslf markuslf self-assigned this Jan 22, 2024
@mdicss
Copy link
Author

mdicss commented Apr 19, 2024

Any news here?

@markuslf markuslf added this to the M005 milestone Apr 19, 2024
@markuslf
Copy link
Member

markuslf commented May 29, 2024
edited

To ensure maximum compatibility between different Linux versions (keyword: glibc), as of today (2024-05-29) all plugins for the .zip/tar.gz file are compiled on CentOS 7. CentOS 7 currently ships with openssl 1.0.2k. For Debian and RHEL compatible operating systems, we provide .deb/.rpm packages on https://repo.linuxfabrik.ch/, which are all built on their respective platforms.

On 2024-06-30 CentOS 7 will reach its EOL. We still need to check which platform we want to compile our plugins on after that to get maximum compatibility for the resulting binaries.

So we will not fix this for now. However, the problem will be solved with a new release after 2024-06-30.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markuslf markuslf

Labels
enhancement New feature or request
Projects
None yet
Milestone
M005
Development

No branches or pull requests
2 participants
@markuslf @mdicss