openssl-1.0.1e-38.fc19 trouble

For anyone else who has been having heartburn over trying to get yum to update openssl on Fedora 19 the last two times those updates were critical, know that you’re not alone.

At least I’m with you.

First during the Heartbleed update (openssl-1.0.1e-37.fc19) and now with the latest to address another exploit, I had to manually install the package and its dependencies because yum reported a conflict.

Error: Package: 1:openssl-1.0.1e-37.fc19.1.i686 (installed)
           Requires: openssl-libs(x86-32) = 1:1.0.1e-37.fc19.1
           Removing: 1:openssl-libs-1.0.1e-37.fc19.1.i686 (installed)
               openssl-libs(x86-32) = 1:1.0.1e-37.fc19.1
           Updated By: 1:openssl-libs-1.0.1e-38.fc19.i686 (updates)
               openssl-libs(x86-32) = 1:1.0.1e-38.fc19
           Available: 1:openssl-libs-1.0.1e-4.fc19.i686 (fedora)
               openssl-libs(x86-32) = 1:1.0.1e-4.fc19
 You could try using --skip-broken to work around the problem

I did try a few time-worn techniques to right things before going the manual route (e.g. doing a “yum clean all”), to no avail.

Only by downloading the rpms from an up-to-date repo (found via mirrors.fedoraproject.org) and then invoking “rpm -Uvh” against them was I able to do the update.

In my case this involved grabbing four packages over HTTP:

openssl-1.0.1e-38.fc19.i686.rpm
openssl-1.0.1e-38.fc19.x86_64.rpm
openssl-libs-1.0.1e-38.fc19.i686.rpm
openssl-libs-1.0.1e-38.fc19.x86_64.rpm

My attempt to use yumdownloader to retrieve the packages failed as it was unable to find the .i686 version of openssl-1.0.1e-38 (which is probably why my yum update failed).

This isn’t a knock against yum, by the way. I use it all the time for package management. My opinion is that this is a problem either with the way openssl is being packaged or how it’s being provisioned (although openssl is the only package I’ve had this problem with).

I’m also not addressing the fact that updates for Fedora 19 were only available signficantly after those for Fedora 20. My only comment there would be that if the Fedora Project wants to cease supporting Fedora 19 at the same level as they do Fedora 20 at this point, they’ve got every right to do so — but their users also deserve to know that is what is happening. Of course the Fedora Release Life Cycle is very specific about how long a release will be supported, and Fedora 19 fits well within the bounds set. If Project Management so desires they can change that policy any time they want, but again, they need to tell people they’ve done that.

As an aside, I noted several weeks ago that a security update to the gnutls package for Fedora 19 was also significantly delayed as compared to Fedora 20 (as well as Red Hat Enteprise 6 and CentOS 6).

Right now I’m holding off upgrading to Fedora 20 until CentOS 7 is released. As I’ve indicated on this blog recently, my current plan is to switch my home servers over to CentOS 7. Now that it’s clear Fedora 21 won’t be out until this October I’m weighing whether to upgrade my workstations to Fedora 20 or to move them to CentOS 7 as well.

This entry was posted in Security, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).