Hi,
When testing my site on Qualys SSL labs, my website received an F because of the CVE 2016-2107 bug.
I have yum updated my openSSL (1.0.1e fips) to the last version (51.el7_2.5) and when using the command rpm -q --changelog "openssl" | head -n 7 I get:
Which demonstrates I have the version that resolves this issue.
However, even when I reboot, or rebuild (using custombuild) apache or rebuild ALL, stop/start apache, the test says I'm still vulnerable to the issue.
I don't use a custom version of openSSL (in ap2/configure.apache).
I have no idea what to do now?
When testing my site on Qualys SSL labs, my website received an F because of the CVE 2016-2107 bug.
I have yum updated my openSSL (1.0.1e fips) to the last version (51.el7_2.5) and when using the command rpm -q --changelog "openssl" | head -n 7 I get:
Code:
* Fri Apr 29 2016 Tomáš Mráz <[email protected]> 1.0.1e-51.5
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoderWhich demonstrates I have the version that resolves this issue.
However, even when I reboot, or rebuild (using custombuild) apache or rebuild ALL, stop/start apache, the test says I'm still vulnerable to the issue.
I don't use a custom version of openSSL (in ap2/configure.apache).
I have no idea what to do now?