嗯 ! 前陣子很夯的話題 ... 剛好被客戶問到,所以簡單整理一下筆記 ... 以後直接 CTRL+ACV 就可以交給客戶報告了 ! xDDDDD
Heart
Bleed - OpenSSL CVE-2014-0160
受影響 OpenSSL版本及 OS 版本
OpenSSL 1.0.1 through 1.0.1f
are vulnerable
OpenSSL 1.0.1g (最新)has been fixed the
vulnerability
OpenSSL
1.0.1g is NOT vulnerable
OpenSSL
0.9.8 /1.0.0 branch is NOT vulnerable
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
Debian
Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu
12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora
18, OpenSSL 1.0.1e-4
OpenBSD
5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD
10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD
5.0.2 (OpenSSL 1.0.1e)
OpenSUSE
12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
# wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -zxf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
# ./config
# make
# make install
到這邊先檢查一下版本,基本上還沒改過去才對 ! xD
# mv /usr/bin/openssl /usr/bin/openssl.bak
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# openssl version
使用 yum進行更新仍舊只能更新到 1.0.1e,需採用如上圖之方法手動替系統更新
# rpm -Uvh openssl-1.0.1g-1.el6.x86_64.rpm openssl-devel-1.0.1g-1.el6.x86_64.rpm openssl-libs-1.0.1g-1.el6.x86_64.rpm openssl-static-1.0.1g-1.el6.x86_64.rpm --force --nodeps
openssl 1.0.1e "Heartbleed" CentOS 6.5 vulnerability status
另外,網路上也有相關測試的工具 !
最後附上點相關的文章供參考
openssl從1.0.1e以下版本強制升級後缺失庫文件
OpenSSL “heartbleed” 的安全漏洞/升級Openssl到1.0.1g版本
OpenSSL 1.0.1g for CentOS