四月
8
2014

修復CentOS 6.5 OpenSSL CVE-2014-0160資安漏洞的方法

根據 Heartbleed Bug 的揭露,OpenSSL發生了一個嚴重的資安問題。受到影響的Linux有下列幾項

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

阿維自己剛有幾台機器是使用CentOS 6.5架設的,這樣的資安問題當然要趕緊修復,以下就跟大家分享修復的方式

執行 yum update openssl
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.4
Size : 4.0 M
Repo : installed
From repo : ami-updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic
: algorithms and protocols.</code>

Available Packages
Name : openssl
Arch : i686
Version : 1.0.1e
Release : 16.el6_5.7
Size : 1.5 M
Repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic
: algorithms and protocols.

Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.7
Size : 1.5 M
Repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic
: algorithms and protocols.
如果沒有更新檔案可以進行更新
可以到這裡下載SRPM,然後自己進行手動編譯更新 http://vault.centos.org/6.5/updates/Source/SPackages/openssl-1.0.1e-16.el6_5.4.0.1.centos.src.rpm
注意! 不是更新完就沒事了,記得要做下面的動作

lsof -n | grep ssl | grep DEL

執行這段指令之後,會列出需要重新啟動的服務,記得將列出的服務全部重新啟動一次。

重新啟動服務之後,再執行一次這段指令,確保所有需要重新啟動的服務都已經完成重新啟動。

1. 建議重新產生SSL Key,避免原本的Key已經外洩造成資安上的漏洞

2. 修復之後也可以到 http://filippo.io/Heartbleed/ 這個網站進行檢測

3. 建議繼續閱讀 修復CentOS 6.5 OpenSSL CVE-2014-0160資安漏洞後必做工作 來保障主機的安全

Loading Facebook Comments ...

2 Comments+ Add Comment