OpenSSL CCS Injection脆弱性(CVE-2014-0224)の対応。
https://rhn.redhat.com/errata/RHSA-2014-0625.html 1.0.1e-16.el6_5.14にて対応済みとのこと。
現在インストールされているものを調べる。
[shell]
[astel@sakura ~]$ sudo yum list installed | grep openssl
openssl.x86_64 1.0.0-27.el6_4.2 @updates
openssl098e.x86_64 0.9.8e-17.el6.centos.2
[astel@sakura ~]$ yum info openssl
Loaded plugins: aliases, changelog, downloadonly, fastestmirror,
: kabi, presto, security, tmprepo, verify, versionlock
Loading support for CentOS kernel ABI
Determining fastest mirrors
epel/metalink | 4.5 kB 00:00
* base: www.ftp.ne.jp
* epel: ftp.jaist.ac.jp
* extras: www.ftp.ne.jp
* updates: www.ftp.ne.jp
base | 3.7 kB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 6.2 MB 00:00
extras | 3.4 kB 00:00
nginx | 2.9 kB 00:00
Trying other mirror.
treasuredata 28/28
typesafe | 1.9 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 3.2 MB 00:00
zabbix | 951 B 00:00
zabbix 65/65
zabbix-non-supported | 951 B 00:00
zabbix-non-supported/primary | 3.8 kB 00:00
zabbix-non-supported 15/15
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.0
Release : 27.el6_4.2
Size : 3.6 M
Repo : installed
From repo : updates
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic
: algorithms and protocols.
Available Packages Name : openssl Arch : i686 Version : 1.0.1e Release : 16.el6_5.14 Size : 1.5 M Repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols.
Name : openssl Arch : x86_64 Version : 1.0.1e Release : 16.el6_5.14 Size : 1.5 M Repo : updates Summary : A general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications : between machines. OpenSSL includes a certificate management tool : and shared libraries which provide various cryptographic : algorithms and protocols. [/shell]
見てみると [shell] Installed Packages Name : openssl Arch : x86_64 Version : 1.0.0 Release : 27.el6_4.2 [/shell] とあったので1.0.0-27.el6_4.2というバージョンなのだろう(? これを1.0.1e-16.el6_5.14にアップデートします。
アップデートします。
[shell]
[astel@sakura ~]$ sudo yum update openssl
[sudo] password for fractale:
Loaded plugins: aliases, changelog, downloadonly, fastestmirror,
: kabi, presto, security, tmprepo, verify, versionlock
Loading support for CentOS kernel ABI
Determining fastest mirrors
epel/metalink | 4.5 kB 00:00
* base: www.ftp.ne.jp
* epel: ftp.jaist.ac.jp
* extras: www.ftp.ne.jp
* updates: www.ftp.ne.jp
base | 3.7 kB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 6.2 MB 00:00
extras | 3.4 kB 00:00
nginx | 2.9 kB 00:00
Trying other mirror.
typesafe | 1.9 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 3.2 MB 00:00
zabbix | 951 B 00:00
zabbix-non-supported | 951 B 00:00
zabbix-non-supported/primary | 3.8 kB 00:00
zabbix-non-supported 15/15
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.0-27.el6_4.2 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.14 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
Package Arch Version Repository Size
Updating: openssl x86_64 1.0.1e-16.el6_5.14 updates 1.5 M
Transaction Summary
Upgrade 1 Package(s)
Total download size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
updates/prestodelta | 324 kB 00:00
Processing delta metadata
Download delta size: 976 k
openssl-1.0.0-27.el6_4.2_1.0.1e-16.el6_5.14.x86_64.drpm | 976 kB 00:00
Finishing rebuild of rpms, from deltarpms
<delta rebuild> | 1.5 MB 00:02
Presto reduced the update size by 37% (from 1.5 M to 976 k).
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
Cleanup : openssl-1.0.0-27.el6_4.2.x86_64 2/2
Verifying : openssl-1.0.1e-16.el6_5.14.x86_64 1/2
Verifying : openssl-1.0.0-27.el6_4.2.x86_64 2/2
Updated: openssl.x86_64 0:1.0.1e-16.el6_5.14
Complete! [/shell]
opensslを使用しているプロセスを確認 [shell] [astel@sakura ~]$ sudo find /proc -maxdepth 2 -name maps -exec grep -HE '/libssl.so.* (deleted)' {} \; /proc/3445/maps:7f29d8faf000-7f29d9004000 r-xp 00000000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3445/maps:7f29d9004000-7f29d9204000 ---p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3445/maps:7f29d9204000-7f29d9207000 r--p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3445/maps:7f29d9207000-7f29d920c000 rw-p 00058000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d4dfb000-7fb7d4e50000 r-xp 00000000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d4e50000-7fb7d5050000 ---p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d5050000-7fb7d5053000 r--p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3456/maps:7fb7d5053000-7fb7d5058000 rw-p 00058000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd200000-36dd255000 r-xp 00000000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd255000-36dd455000 ---p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd455000-36dd458000 r--p 00055000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/3914/maps:36dd458000-36dd45d000 rw-p 00058000 08:03 14424510 /usr/lib64/libssl.so.1.0.0.#prelink#.opWbuw (deleted) /proc/4553/maps:3e6a400000-3e6a455000 r-xp 00000000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) /proc/4553/maps:3e6a455000-3e6a655000 ---p 00055000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) /proc/4553/maps:3e6a655000-3e6a658000 r--p 00055000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) /proc/4553/maps:3e6a658000-3e6a65d000 rw-p 00058000 08:03 14424691 /usr/lib64/libssl.so.1.0.0 (deleted) [/shell] ※たくさんでました
pidからプロセス名を調べます。 [shell] [astel@sakura ~]$ sudo ls -l /proc/4553/exe lrwxrwxrwx 1 nginx nginx 0 6月 20 11:15 2014 /proc/4553/exe -> /usr/sbin/nginx [astel@sakura ~]$ sudo ls -l /proc/6326/exe lrwxrwxrwx 1 root root 0 6月 20 11:15 2014 /proc/6326/exe -> /usr/sbin/zabbix_agentd (deleted) [astel@sakura ~]$ sudo ls -l /proc/8349/exe lrwxrwxrwx 1 root root 0 6月 20 11:15 2014 /proc/8349/exe -> /usr/libexec/postfix/pickup [/shell]
openssl使用しているプロセスは再起動しないといけないので再起動します。 [shell] [astel@sakura ~]$ sudo service nginx restart [astel@sakura ~]$ sudo service zabbix-agent restart [astel@sakura ~]$ sudo /etc/init.d/postfix restart [/shell] mysqlとかも入ってればrestart必要かもしれません。(わかんなくてrebootしていい環境ならrebootでもいいかもしれない(? [shell] [astel@sakura ~]$ sudo find /proc -maxdepth 2 -name maps -exec grep -HE '/libssl.so.* (deleted)' {} \; [/shell] で何もでなければ大丈夫だと思います。
[shell] [astel@sakura ~]$ sudo yum list installed | grep openssl openssl.x86_64 1.0.1e-16.el6_5.14 [/shell]
