Update of libssl - Githubissues

Linuxfabrik / monitoring-plugins

220+ check plugins for Icinga and other Nagios-compatible monitoring applications. Each plugin is a standalone command line tool (written in Python) that provides a specific type of check.

https://linuxfabrik.ch

The Unlicense

217 stars 50 forks source link

Update of libssl #737

Closed mdicss closed 5 months ago

mdicss commented 9 months ago

Describe the solution you'd like

Hi A security-scan of our icinga installation reported a problem with libssl.so.10, which is included in the _internal folder of the compiled plugins. See: https://cve.org/CVERecord?id=CVE-2022-1292 http://www.nessus.org/u?d5a8df0f It would be good, to have a new release of the plugins with the libssl updated to the newest version. Regards, Matthias

Additional context

No response

markuslf commented 9 months ago

Thank you for your report. Can you provide these details as well?

Which variant of the Monitoring Plugins do you use?

.rpm/.deb package from repo.linuxfabrik.ch
Compiled for Linux (.tar/.zip from download.linuxfabrik.ch)

Plugin Version

Result of plugin-name --version (output e.g. about-me: v2023010603 by Linuxfabrik GmbH, Zurich/Switzerland)

mdicss commented 9 months ago

Hi Markus We use the compiled version for linux. I've just seen, that we actually have version v2023112901 but on some observed machines, we still have v2022071801. So I think, you already have updated the libssl in the new plugin release?

It looks like the same library version. I used the following command and the output is the same with both versions, also the filesize is the same.

$ strings libssl.so.10 | grep "1.0" OPENSSL_1.0.1 OPENSSL_1.0.1_EC OPENSSL_1.0.2 SSLv3 part of OpenSSL 1.0.2k-fips 26 Jan 2017 TLSv1 part of OpenSSL 1.0.2k-fips 26 Jan 2017 DTLSv1 part of OpenSSL 1.0.2k-fips 26 Jan 2017 OpenSSL 1.0.2k-fips 26 Jan 2017 libssl.so.1.0.2k.debug

markuslf commented 9 months ago

We'll have a look, thank you.

mdicss commented 6 months ago

Any news here?

markuslf commented 5 months ago

To ensure maximum compatibility between different Linux versions (keyword: glibc), as of today (2024-05-29) all plugins for the .zip/tar.gz file are compiled on CentOS 7. CentOS 7 currently ships with openssl 1.0.2k. For Debian and RHEL compatible operating systems, we provide .deb/.rpm packages on https://repo.linuxfabrik.ch/, which are all built on their respective platforms.

On 2024-06-30 CentOS 7 will reach its EOL. We still need to check which platform we want to compile our plugins on after that to get maximum compatibility for the resulting binaries.

So we will not fix this for now. However, the problem will be solved with a new release after 2024-06-30.