Centos6.5 制作openssl 3.0.3 RPM包并升级

OpenSSL命令执行和拒绝服务漏洞

漏洞详情

1. CVE-2022-1292：OpenSSL命令注入漏洞（中危）：

由于c_rehash脚本没有正确清理shell元字符导致命令注入，可以利用该漏洞在未授权的情况下以脚本的权限执行任意命令。

2. CVE-2022-1343：OpenSSL错误验证响应签名证书（中危）：由于OCSP_basic_verify函数在验证某些签名证书时存在错误，可利用该漏洞在未授权的情况下执行证书欺骗攻击，最终导致非法响应签名证书验证成功。

3. CVE-2022-1434：OpenSSL加密错误漏洞（低危）：由于RC4-MD5密码套件的OpenSSL 3.0实现错误地使用了AAD数据作为MAC密钥，这使得MAC密钥可以被预测。可以利用该漏洞在未授权的情况下执行中间人攻击、修改通信数据等，但无法对数据进行解密。

4. CVE-2022-1473：OpenSSL拒绝服务漏洞（低危）：用于清空哈希表的OPENSSL_LH_flush()函数存在错误，在解码证书或密钥时内存使用量将无限扩大，进程可能被系统终止，导致拒绝服务。

漏洞等级

中危

漏洞类型：命令执行和拒绝服务

受影响版本

 

由于我需要升级的服务器为Centos6.5 ，因此测试环境先选择服务器版本：Centos6.5 进行验证。

制作openssl步骤

步骤1：准备CentOS-Base源及epel源

CentOS-Base.repo

[base]

name=CentOS-$releasever - Base

baseurl=http://mirrors.aliyun.com/centos-vault/6.10/os/$basearch/

gpgcheck=1

enabled=1

gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

[updates]

name=CentOS-$releasever - Updates

baseurl=http://mirrors.aliyun.com/centos-vault/6.10/updates/$basearch/

gpgcheck=1

enabled=1

gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

epel.repo

[epel]

name=Extra Packages for Enterprise Linux 6 - $basearch

#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch

failovermethod=priority

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

[epel-debuginfo]

name=Extra Packages for Enterprise Linux 6 - $basearch - Debug

#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

gpgcheck=1

[epel-source]

name=Extra Packages for Enterprise Linux 6 - $basearch - Source

#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

gpgcheck=1

epel-testing.repo

[epel-testing]

name=Extra Packages for Enterprise Linux 6 - Testing - $basearch

#baseurl=http://download.fedoraproject.org/pub/epel/testing/6/$basearch

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=testing-epel6&arch=$basearch

failovermethod=priority

enabled=0

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

[epel-testing-debuginfo]

name=Extra Packages for Enterprise Linux 6 - Testing - $basearch - Debug

#baseurl=http://download.fedoraproject.org/pub/epel/testing/6/$basearch/debug

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=testing-debug-epel6&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

gpgcheck=1

[epel-testing-source]

name=Extra Packages for Enterprise Linux 6 - Testing - $basearch - Source

#baseurl=http://download.fedoraproject.org/pub/epel/testing/6/SRPMS

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=testing-source-epel6&arch=$basearch

failovermethod=priority

enabled=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

gpgcheck=1

步骤2：准备软件包,并上传至指定位置

cd /root

wget https://www.openssl.org/source/openssl-3.0.3.tar.gz

步骤3：准备好制作openssl3.0.3 rpm包的脚本

脚本如下：

#!/bin/bash

set -e

set -v

mkdir ~/openssl && cd ~/openssl

yum -y install \

curl \

which \

make \

gcc \

perl \

perl-WWW-Curl \

rpm-build \

perl-CPAN \

perl-IPC-Cmd \

perl-ExtUtils-CBuilder \

perl-ExtUtils-MakeMaker

# Get openssl tarball

cp /root/openssl-3.0.3.tar.gz ./

# SPEC file

cat << 'EOF' > ~/openssl/openssl.spec

Summary: OpenSSL 3.0.3 for Centos

Name: openssl

Version: %{?version}%{!?version:3.0.3}

Release: 1%{?dist}

Obsoletes: %{name} <= %{version}

Provides: %{name} = %{version}

URL: https://www.openssl.org/

License: GPLv2+

Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz

BuildRequires: make gcc perl perl-WWW-Curl

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

%global openssldir /usr/openssl

%description

OpenSSL RPM for version 3.0.3 on Centos

%package devel

Summary: Development files for programs which will use the openssl library

Group: Development/Libraries

Requires: %{name} = %{version}-%{release}

%description devel

OpenSSL RPM for version 3.0.3 on Centos (development package)

%prep

%setup -q

%build

./config --prefix=%{openssldir} --openssldir=%{openssldir}

make

%install

[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}

%make_install

mkdir -p %{buildroot}%{_bindir}

mkdir -p %{buildroot}%{_libdir}

ln -sf %{openssldir}/lib/libssl.so.3 %{buildroot}%{_libdir}

ln -sf %{openssldir}/lib/libcrypto.so.3 %{buildroot}%{_libdir}

ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}

%clean

[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}

%files

%{openssldir}

%defattr(-,root,root)

/usr/bin/openssl

/usr/lib64/libcrypto.so.3

/usr/lib64/libssl.so.3

%files devel

%{openssldir}/include/*

%defattr(-,root,root)

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

EOF

mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

cp ~/openssl/openssl.spec /root/rpmbuild/SPECS/openssl.spec

mv openssl-3.0.3.tar.gz /root/rpmbuild/SOURCES

cd /root/rpmbuild/SPECS && \

rpmbuild \

-D "version 3.0.3" \

-ba openssl.spec

# Before Uninstall Openssl(安装前查看状态) : rpm -qa openssl

# Uninstall Current Openssl Vesion(卸载当前版本openssl) : rpm -e openssl-1.0.1e-57.el6.x86_64 --nodeps         #注：个人建议还是不要删除。删除可能有问题(待确认中)

# For install(安装新版本及验证): rpm -ivh /root/rpmbuild/RPMS/x86_64/openssl-3.0.3-1.el6.x86_64.rpm --nodeps --force

# Verify install: rpm -qa openssl

# openssl version

#若出现报错：openssl: error while loading shared libraries: libssl.so.3

#解决办法：

#ln -s /usr/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3

#ln -s /usr/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3

 

制作完成后总共生成三个文件,按需获取软件包，即可。

链接：https://pan.baidu.com/s/1vS4b_7fX745qyY-_fHC_Pg

提取码：18g2

openssl-3.0.3-1.el6.x86_64

openssl-debuginfo-3.0.3-1.el6.x86_64

openssl-devel-3.0.3-1.el6.x86_64

 注：更新后要验证服务器可以正常登陆