OpenSSL - Bug CVE 2016-2107

jomlx

New member
Joined
Mar 2, 2016
Messages
2
Hi,

When testing my site on Qualys SSL labs, my website received an F because of the CVE 2016-2107 bug.

I have yum updated my openSSL (1.0.1e fips) to the last version (51.el7_2.5) and when using the command rpm -q --changelog "openssl" | head -n 7 I get:

Code:
* Fri Apr 29 2016 Tomáš Mráz <[email protected]> 1.0.1e-51.5
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder

Which demonstrates I have the version that resolves this issue.

However, even when I reboot, or rebuild (using custombuild) apache or rebuild ALL, stop/start apache, the test says I'm still vulnerable to the issue.

I don't use a custom version of openSSL (in ap2/configure.apache).

I have no idea what to do now?
 
Back
Top