Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

  1. More ways to get the info! - we shoot all of our new original content out as well as random messages on Twitter and our newsletter!. Twitter | Newsletter
    Dismiss Notice

openssl-devel < 1.1 is needed by openssh-7.9p1-1.el7.x86_64

Discussion in 'General Server' started by Neyoo, Feb 5, 2019.

  1. Neyoo

    Neyoo New Member

    Joined:
    Feb 5, 2019
    Messages:
    3
    Likes Received:
    0
    Hello,
    i have setup a rpmbuild on a Centos server, I am trying to build openssh-7.9 which is not available in centos repo.
    when i run the command below

    [email protected] redhat]$ rpmbuild -ba openssh.spec
    error: Failed build dependencies:
    openssl-devel < 1.1 is needed by openssh-7.9p1-1.el7.x86_64

    i cannot seem to find any article that can help with the installation of openssl-devel-1.1 on centos.
    Can anyone please assist.
    thanks


    (Log in to hide this advertisement)

     
  2. wizardfromoz

    wizardfromoz Super Moderator
    Staff Member Gold Supporter

    Joined:
    Apr 30, 2017
    Messages:
    2,980
    Likes Received:
    2,341
    G'day @Neyoo and welcome to linux.org :)

    I do not know about server matters but I am moving this to General Server where it may attract the answers you need.

    Chris Turner
    wizardfromoz
     
  3. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    444
    Likes Received:
    942
    Hey there Neyoo, welcome to linux.org!

    Have you tried other repos like epel or remi? They generally have newer versions.

    The base centos repos have older main versions which are super-stable and they do keep up on the security patches.. so for instance.. php 5.4 is EOL i belive, but it's the newest you can get from the base repos. They have, however, applied all of the security patches (at least for cent 6 and 7). I installed php 7.3 from remi earlier today for work on a server.

    Are you looking for that version of openssl because you need new features or?

    Rob
     
  4. Neyoo

    Neyoo New Member

    Joined:
    Feb 5, 2019
    Messages:
    3
    Likes Received:
    0
    Thank you for a quick response. The current openssh on centos is 'OpenSSH_7.6p1, OpenSSL 1.0.2k-fips' but the security guy ran a vulnerability scan and requested we update to the latest openssh version available which is Openssh_7.9. when i try to build the package using rpmbuild it requested for openssl-devel-1.1 as a dependency which i have not been able to install due to other dependencies
     
  5. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    444
    Likes Received:
    942
    Ah, ok.. what version of centos are you using?

    Both Centos 6 and 7 will have patched versions of openssh.. so you're fine w/ the vuln scanning.

    Example.. i'm running centos 6 on a machine:
    Code:
    [email protected] [~]# rpm -q openssh
    openssh-5.3p1-123.el6_9.x86_64
    THere, we have openssh v. 5.3p1, but patch level 123.

    You can look through the updates on it by using the rpm command:
    Code:
    [email protected] [~]# rpm -qa --changelog openssh|less
    (hit q to quit)

    You'll see things like:
    Code:
    * Thu Aug 03 2017 Jakub Jelen <[email protected]> - 5.3p1-123
    - Fix for CVE-2016-6210: User enumeration via covert timing channel (#1357442)
    
    * Mon Dec 19 2016 Jakub Jelen <[email protected]> - 5.3p1-122
    - Allow to use ibmca crypto hardware (#1397547)
    - CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (1405374)
    
    * Thu Dec 15 2016 Jakub Jelen <[email protected]> - 5.3p1-121
    - Fix missing hmac-md5-96 from server offer (#1373836)
    
    * Wed Nov 02 2016 Jakub Jelen <[email protected]> - 5.3p1-120
    - Prevent infinite loop when Ctrl+Z pressed at password prompt (#1218424)
    - Remove RC4 cipher and MD5 based MAC from the default client proposal (#1373836)
    which shows various CVE numbers that the software is patched for... is there a particular CVE they're complaining about?

    Be assured, your openssh version is patched well for most companies scanning departments. I worked at a "large cable company" and was able to prove to them we were fine by pasting the output of the changelog in their tickets, etc..

    These versions are patched for stability.. so prod servers work flawlessly without introducing new possible bugs in newer, less tested versions.

    Tell them in the ticket that you have the "latest, patched, stable version from the vendor" and ask them which CVE they're referencing.. then paste the proof from the changelog.
     
    #5 Rob, Feb 6, 2019
    Last edited: Feb 6, 2019

Share This Page