RHEL & amp; CentOS & amp; OEL5 & amp; 6.x high-risk vulnerability repair

RHEL & CentOS & OEL5 & 6.x high-risk vulnerability repair

This article only targets the aligreennet vulnerability scan results. The following high-risk vulnerabilities exist in RHEL, CentOS, and OEL5.x x64. The solutions are provided here. After a further vulnerability scan, the vulnerability has been fixed.

High risk
OpenSSH 'schnorr. c' Remote Memory Corruption Vulnerability (CVE-2014-1692)
OpenSSH J-PAKE Authorization Vulnerability (CVE-2010-4478)
OpenSSH GSSAPI Remote Code Execution Vulnerability (CVE-2006-5051)
GNU Bash environment variable Remote Command Execution Vulnerability (CVE-2014-6271)
GNU Wget symbolic link Vulnerability (CVE-2014-4877)

Moderate
OpenSSH default server configuration Denial of Service Vulnerability (CVE-2010-5107)
OpenSSH glob Expression Denial of Service Vulnerability (CVE-2010-4755)
OpenSSH permission licensing and Access Control Vulnerability (CVE-2014-2532)
OpenSSH verify_host_key function sshfp dns rr Check Bypass Vulnerability (CVE-2014-2653)
OpenSSH S/Key Remote Information Leakage (CVE-2007-2243)

1. in RHEL/CentOS/OEL5/6.x x64, Upgrade openssh to 6.6p1 for operating system Warwick vulnerabilities to eliminate the following high-risk vulnerabilities, which can be ignored.
(1) use the original source package for Installation
(2) Use the rpm installation package for upgrade and installation. Here, use the rpm package for upgrade.

View openssh packages
Rpm-qa | grep openssh

Detach one by one
Rpm-e openssh -- nodeps
Rpm-e openssh-server -- nodeps
Rpm-e openssh-clients -- nodeps
Rpm-e openssh-askpass

Or one-time uninstallation, which can be played online.
Rpm-e -- nodeps 'rpm-qa | grep openssh'

Copy the following installation package:
Installation package:

------------------------------------------ Split line ------------------------------------------

Free in http://linux.bkjia.com/

The username and password are both www.bkjia.com

The specific download directory is in/July 6, 2015,/July 27, December,/RHEL & CentOS & OEL5 & 6.x high-risk vulnerability repair/

For the download method, see

------------------------------------------ Split line ------------------------------------------

Rpm-ivh openssh-6.6.1p1-2.gf.el5.x86_64.rpm openssh-askpass-6.6.1p1-2.gf.el5.x86_64.rpm openssh-clients-6.6.1p1-2.gf.el5.x86_64.rpm openssh-server-6.6.1p1-2.gf.el5.x86_64.rpm libedit-20090923-3.0_1.el5.rf.x86_64.rpm

# Ssh-V
OpenSSH_6.6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Restart the ssh service:
# Service sshd restart

2. bash Vulnerability Detection
GNU Bash environment variable Remote Command Execution Vulnerability (CVE-2014-6271)

(1) bash Vulnerability Detection Method and repair update package
Env x = '() {:;}; echo vulnerable' bash-c "echo this is a test"

If the following results are displayed, you must immediately install the patch.
Vulnerable
This is a test

If the following results are displayed, the vulnerability is successfully repaired.
This is a test

(2) download the rpm package. Note that the website is valid. If you cannot download the package, go to the directory and find the latest installation package with the same name.
CentOS 5
Http://mirrors.pubyun.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5_11.4.x86_64.rpm
CentOS 6
Http://mirrors.pubyun.com/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm
Centos 7
Http://mirrors.pubyun.com/centos/7.0.1406/updates/x86_64/Packages/bash-4.2.45-5.el7_0.4.x86_64.rpm

# Rpm-Uvh bash-3.2-33.el5_11.4.x86_64.rpm
Use the upgrade method.

3. GNU Wget symbolic link Vulnerability (CVE-2014-4877)
Two Methods: one is to directly uninstall and not use, and the second method is to use the source code for installation.
Download the wget source code package:
# Wget http://ftp.gnu.org/gnu/wget/wget-1.17.tar.gz

Unmount directly
# Rpm-e -- nodeps wget
# Tar zxvf wget-1.17.tar.gz
#./Configure
# Make & make install

This article permanently updates the link address: