OpenSSL アップデート

OpenSSL CCS Injection脆弱性(CVE-2014-0224)の対応。

https://rhn.redhat.com/errata/RHSA-2014-0625.html 1.0.1e-16.el6_5.14にて対応済みとのこと。

現在インストールされているものを調べる。 [shell] [astel@sakura ~]$ sudo yum list installed | grep openssl openssl.x86_64 1.0.0-27.el6_4.2 @updates
openssl098e.x86_64 0.9.8e-17.el6.centos.2

[astel@sakura ~]$ yum info openssl Loaded plugins: aliases, changelog, downloadonly, fastestmirror, : kabi, presto, security, tmprepo, verify, versionlock Loading support for CentOS kernel ABI Determining fastest mirrors epel/metalink | 4.5 kB 00:00
* base: www.ftp.ne.jp * epel: ftp.jaist.ac.jp * extras: www.ftp.ne.jp * updates: www.ftp.ne.jp base | 3.7 kB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 6.2 MB 00:00
extras | 3.4 kB 00:00
nginx | 2.9 kB 00:00
Trying other mirror. treasuredata 28/28 typesafe | 1.9 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 3.2 MB 00:00
zabbix | 951 B 00:00
zabbix 65/65 zabbix-non-supported | 951 B 00:00
zabbix-non-supported/primary | 3.8 kB 00:00
zabbix-non-supported 15/15 Installed Packages Name : openssl Arch : x86_64 Version : 1.0.0 Release : 27.el6_4.2 Size : 3.6 M Repo : installed From repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols.

Available Packages Name : openssl Arch : i686 Version : 1.0.1e Release : 16.el6_5.14 Size : 1.5 M Repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols.

Name : openssl Arch : x86_64 Version : 1.0.1e Release : 16.el6_5.14 Size : 1.5 M Repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols. [/shell]

見てみると [shell] Installed Packages Name : openssl Arch : x86_64 Version : 1.0.0 Release : 27.el6_4.2 [/shell] とあったので1.0.0-27.el6_4.2というバージョンなのだろう(? これを1.0.1e-16.el6_5.14にアップデートします。

アップデートします。 [shell] [astel@sakura ~]$ sudo yum update openssl [sudo] password for fractale: Loaded plugins: aliases, changelog, downloadonly, fastestmirror, : kabi, presto, security, tmprepo, verify, versionlock Loading support for CentOS kernel ABI Determining fastest mirrors epel/metalink | 4.5 kB 00:00
* base: www.ftp.ne.jp * epel: ftp.jaist.ac.jp * extras: www.ftp.ne.jp * updates: www.ftp.ne.jp base | 3.7 kB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 6.2 MB 00:00
extras | 3.4 kB 00:00
nginx | 2.9 kB 00:00
Trying other mirror. typesafe | 1.9 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 3.2 MB 00:00
zabbix | 951 B 00:00
zabbix-non-supported | 951 B 00:00
zabbix-non-supported/primary | 3.8 kB 00:00
zabbix-non-supported 15/15 Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be updated ---> Package openssl.x86_64 0:1.0.1e-16.el6_5.14 will be an update --> Finished Dependency Resolution

Dependencies Resolved


Package Arch Version Repository Size

Updating: openssl x86_64 1.0.1e-16.el6_5.14 updates 1.5 M

Transaction Summary

Upgrade 1 Package(s)

Total download size: 1.5 M

Is this ok [y/N]: y Downloading Packages: Setting up and reading Presto delta metadata updates/prestodelta | 324 kB 00:00
Processing delta metadata Download delta size: 976 k openssl-1.0.0-27.el6_4.2_1.0.1e-16.el6_5.14.x86_64.drpm | 976 kB 00:00
Finishing rebuild of rpms, from deltarpms <delta rebuild> | 1.5 MB 00:02
Presto reduced the update size by 37% (from 1.5 M to 976 k). Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : openssl-1.0.1e-16.el6_5.14.x86_64 1/2 Cleanup : openssl-1.0.0-27.el6_4.2.x86_64 2/2 Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 1/2 Verifying : openssl-1.0.0-27.el6_4.2.x86_64 2/2

Updated: openssl.x86_64 0:1.0.1e-16.el6_5.14

Complete! [/shell]

opensslを使用しているプロセスを確認 [shell] [astel@sakura ~]$ sudo find /proc -maxdepth 2 -name maps -exec grep -HE '/libssl.so.* (deleted)' {} \; /proc/3445/maps:7f29d8faf000-7f29d9004000 r-xp 00000000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3445/maps:7f29d9004000-7f29d9204000 ---p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3445/maps:7f29d9204000-7f29d9207000 r--p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3445/maps:7f29d9207000-7f29d920c000 rw-p 00058000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d4dfb000-7fb7d4e50000 r-xp 00000000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d4e50000-7fb7d5050000 ---p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d5050000-7fb7d5053000 r--p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d5053000-7fb7d5058000 rw-p 00058000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd200000-36dd255000 r-xp 00000000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd255000-36dd455000 ---p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd455000-36dd458000 r--p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd458000-36dd45d000 rw-p 00058000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/4553/maps:3e6a400000-3e6a455000 r-xp 00000000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) /proc/4553/maps:3e6a455000-3e6a655000 ---p 00055000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) /proc/4553/maps:3e6a655000-3e6a658000 r--p 00055000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) /proc/4553/maps:3e6a658000-3e6a65d000 rw-p 00058000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) [/shell] ※たくさんでました

pidからプロセス名を調べます。 [shell] [astel@sakura ~]$ sudo ls -l /proc/4553/exe lrwxrwxrwx 1 nginx nginx 0 6月 20 11:15 2014 /proc/4553/exe -> /usr/sbin/nginx [astel@sakura ~]$ sudo ls -l /proc/6326/exe lrwxrwxrwx 1 root root 0 6月 20 11:15 2014 /proc/6326/exe -> /usr/sbin/zabbix_agentd (deleted) [astel@sakura ~]$ sudo ls -l /proc/8349/exe lrwxrwxrwx 1 root root 0 6月 20 11:15 2014 /proc/8349/exe -> /usr/libexec/postfix/pickup [/shell]

openssl使用しているプロセスは再起動しないといけないので再起動します。 [shell] [astel@sakura ~]$ sudo service nginx restart [astel@sakura ~]$ sudo service zabbix-agent restart [astel@sakura ~]$ sudo /etc/init.d/postfix restart [/shell] mysqlとかも入ってればrestart必要かもしれません。(わかんなくてrebootしていい環境ならrebootでもいいかもしれない(? [shell] [astel@sakura ~]$ sudo find /proc -maxdepth 2 -name maps -exec grep -HE '/libssl.so.* (deleted)' {} \; [/shell] で何もでなければ大丈夫だと思います。

[shell] [astel@sakura ~]$ sudo yum list installed | grep openssl openssl.x86_64 1.0.1e-16.el6_5.14 [/shell]