Openssl vulnerability patch repair

CVE-2014-0160 vulnerability background April 7, 2014 OpenSSL issued a security bulletin in OpenSSL1.0.1 has a serious vulnerability (CVE-2014-0160 ). The OpenSSL Heartbleed module has a BUG. The problem lies in the heartbeat section in the ssl/dl_both.c file. When attackers construct a special data packet, if the user's heartbeat packet cannot provide enough data, the memcpy function will output the data recorded in SSLv3 directly, this vulnerability allows attackers to remotely read up to 64 KB of data in the memory of the OpenSSL server. In the existing materials, domestic and foreign counterparts have already called this vulnerability a "broken down heart", "Destruction Level", and "most serious this year" vulnerability. As SSL is a mainstream security protocol for encrypted login authentication and network transaction, OpenSSL is a mainstream SSL platform. Therefore, we recommend that network service providers, management institutions, and users pay close attention to the vulnerability handling situation and hope that the majority of users can take corresponding countermeasures. The distribution of affected versions of OpenSSL is based on the public information. The distribution of the affected versions is as follows. 1. OpenSSL 1.0.1f (affected) 2. OpenSSL 1.0.2-beta (affected) 3. OpenSSL 1.0.1g (not affected) 4. OpenSSL 1.0.0 branch (not affected) 5. OpenSSL 0.9.8 branch (not affected) disposal suggestions: 3.1 for network administrators, the following things can be done: in view of the severity of this vulnerability, if it is determined that this vulnerability exists, for general network service providers, suspending services for disposal is a good response strategy. If the vulnerability exists, and the service cannot be stopped, you can temporarily stop the https service and switch to the http service during vulnerability repair. However, this poses a risk of plaintext transmission of authentication information, make careful judgments and trade-offs on specific interests. The specific repair method is as follows: you can also use the-DOPENSSL_NO_HEARTBEATS parameter to re-compile the lower version of OpenSSL to disable the Heartbleed module by upgrading the OpenSSL version to the latest 1.0.1g to regenerate your private key request and replace the SSL certificate, the latest version upgrade address is: https://www.openssl.org/source. (OpenSSL official) 3.2 for common network users, we solemnly suggest that, given the severity of this vulnerability, you cannot determine whether your website or service has fixed this vulnerability, in the future 2 ~ If you do not log on within three days (January 1, April 9, 2014), it is a good response strategy (such as online shopping and online banking payment ). If you have to perform operations, you can follow the changes to these websites and services. Login from some mobile clients is an SSL encapsulation, so login from mobile phones is not secure. Other security enterprise teams will announce the websites that are still problematic or have no problems. Please pay attention to them. The following is the centos system or redhat System Repair Method: In short I are to upgrade the version to the latest version of the official website: openssl-1.0.1g (2014.4.7 update) first line support package installation: upgrade yum install-y zlib openssl: 0. first, through the # openssl version-a to view the existing OpenSSL version number in the system to download the latest version of openssl source package # wget ftp://ftp.openssl.org/source/openssl-1.0.1g.tar.gz2. install openssl 1. tar xzvf openssl-1.0.1g.tar.gz
2. cd openssl-1.0.1g
3../config shared zlib
4. make
5. make install
6. mv/usr/bin/openssl. OFF
7. mv/usr/include/openssl. OFF
8. ln-s/usr/local/ssl/bin/openssl/usr/bin/openssl
9. ln-s/usr/local/ssl/include/openssl/usr/include/openssl
Configure the library file search path
10. echo "/usr/local/ssl/lib">/etc/ld. so. conf
11. ldconfig-v
3. Check the openssl version to verify the installation. 1. # openssl version-a penSSL1.0.1g7 Apr 2014 built on: Fri Apr 11 13:49:37 CST 2014 platform: linux-x86_64options: bn (64,64) rc4 (16x, int) des (idx, cisc, 16, int) idea (int) blowfish (idx) compiler: gcc-fPIC-DOPENSSL_PIC-DZLIB-DOPENSSL_THREADS-D_REENTRANT-DDSO_DLFCN-DHAVE_DLFCN_H-Wa, -- noexecstack-m64-DL_ENDIAN-DTERMIO-O3-Wall-firewall-acceleration-DSHA1_ASM-container-connector-DMD5_ASM-DAES_ASM-DVPAES_ASM-DBSAES_ASM-sources-labels: "/usr/local/ssl"

Below is a small script I wrote myself: # cat openssl-update.sh
Yum install-y zlib echo "********************************* **************************************** ****************************************. /config shared zlib make install mv/usr/bin/openssl. OFF mv/usr/include/openssl. OFF ln-s/usr/local/ssl/bin/openssl/usr/bin/openssl ln-s/usr/local/ssl/include/openssl/usr/include/openssl echo "/usr/local/ssl/lib">/etc/ld. so. conf ldconfig-vecho "*********************************** **************************************** **************************************** * ********* "openssl version-
# Chmod + x openssl-update.sh #./openssl-update.sh> openssl-update.log
This is my humble opinion. If you have any questions, you can discuss it.