openssl-devel < 1.1 is needed by openssh-7.9p1-1.el7.x86_64

Neyoo

New Member
Hello,
i have setup a rpmbuild on a Centos server, I am trying to build openssh-7.9 which is not available in centos repo.
when i run the command below

[email protected] redhat]$ rpmbuild -ba openssh.spec
error: Failed build dependencies:
openssl-devel < 1.1 is needed by openssh-7.9p1-1.el7.x86_64

i cannot seem to find any article that can help with the installation of openssl-devel-1.1 on centos.
Can anyone please assist.
thanks
 


wizardfromoz

Super Moderator
Staff member
Gold Supporter
G'day @Neyoo and welcome to linux.org :)

I do not know about server matters but I am moving this to General Server where it may attract the answers you need.

Chris Turner
wizardfromoz
 

Rob

Administrator
Staff member
Hey there Neyoo, welcome to linux.org!

Have you tried other repos like epel or remi? They generally have newer versions.

The base centos repos have older main versions which are super-stable and they do keep up on the security patches.. so for instance.. php 5.4 is EOL i belive, but it's the newest you can get from the base repos. They have, however, applied all of the security patches (at least for cent 6 and 7). I installed php 7.3 from remi earlier today for work on a server.

Are you looking for that version of openssl because you need new features or?

Rob
 

Neyoo

New Member
Hey there Neyoo, welcome to linux.org!

Have you tried other repos like epel or remi? They generally have newer versions.

The base centos repos have older main versions which are super-stable and they do keep up on the security patches.. so for instance.. php 5.4 is EOL i belive, but it's the newest you can get from the base repos. They have, however, applied all of the security patches (at least for cent 6 and 7). I installed php 7.3 from remi earlier today for work on a server.

Are you looking for that version of openssl because you need new features or?

Rob
Thank you for a quick response. The current openssh on centos is 'OpenSSH_7.6p1, OpenSSL 1.0.2k-fips' but the security guy ran a vulnerability scan and requested we update to the latest openssh version available which is Openssh_7.9. when i try to build the package using rpmbuild it requested for openssl-devel-1.1 as a dependency which i have not been able to install due to other dependencies
 

Rob

Administrator
Staff member
Ah, ok.. what version of centos are you using?

Both Centos 6 and 7 will have patched versions of openssh.. so you're fine w/ the vuln scanning.

Example.. i'm running centos 6 on a machine:
Code:
[email protected] [~]# rpm -q openssh
openssh-5.3p1-123.el6_9.x86_64
THere, we have openssh v. 5.3p1, but patch level 123.

You can look through the updates on it by using the rpm command:
Code:
[email protected] [~]# rpm -qa --changelog openssh|less
(hit q to quit)

You'll see things like:
Code:
* Thu Aug 03 2017 Jakub Jelen <[email protected]> - 5.3p1-123
- Fix for CVE-2016-6210: User enumeration via covert timing channel (#1357442)

* Mon Dec 19 2016 Jakub Jelen <[email protected]> - 5.3p1-122
- Allow to use ibmca crypto hardware (#1397547)
- CVE-2015-8325: privilege escalation via user's PAM environment and UseLogin=yes (1405374)

* Thu Dec 15 2016 Jakub Jelen <[email protected]> - 5.3p1-121
- Fix missing hmac-md5-96 from server offer (#1373836)

* Wed Nov 02 2016 Jakub Jelen <[email protected]> - 5.3p1-120
- Prevent infinite loop when Ctrl+Z pressed at password prompt (#1218424)
- Remove RC4 cipher and MD5 based MAC from the default client proposal (#1373836)
which shows various CVE numbers that the software is patched for... is there a particular CVE they're complaining about?

Be assured, your openssh version is patched well for most companies scanning departments. I worked at a "large cable company" and was able to prove to them we were fine by pasting the output of the changelog in their tickets, etc..

These versions are patched for stability.. so prod servers work flawlessly without introducing new possible bugs in newer, less tested versions.

Tell them in the ticket that you have the "latest, patched, stable version from the vendor" and ask them which CVE they're referencing.. then paste the proof from the changelog.
 
Last edited:

Members online


Top