el7升级openssh和openssl修复漏洞

1、openssh和openssl安全漏洞

 OpenSSH 命令注入漏洞(CVE-2020-15778)
 OpenSSH 用户枚举漏洞(CVE-2018-15919)
 OpenSSH 安全漏洞(CVE-2017-15906)
  OpenSSL 安全漏洞(CVE-2018-0732)
 OpenSSL 安全漏洞(CVE-2017-3735)
 OpenSSL 信息泄露漏洞（CVE-2017-3736）
 OpenSSL 安全限制绕过漏洞（CVE-2017-3737）
 OpenSSL 旁道攻击信息泄露漏洞（CVE-2018-0734）
 OpenSSL 安全漏洞(CVE-2019-1547)
 OpenSSL 缓冲区错误漏洞(CVE-2019-1551)
 OpenSSL rsaz_1024_mul_avx2溢出信息泄露漏洞(CVE-2017-3738)
 OpenSSL旁道攻击信息泄露漏洞（CVE-2018-0737）
 OpenSSL 信息泄露漏洞(CVE-2018-5407)

2、openssl

2.1、下载

下载网址如下

https://openssl-library.org/source/old/index.html

下载1.1.1w的版本

wget https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz

2.2、编译 openssl rpm包

2.2.1 安装rpmbuild等依赖包

yum install autoconf doxygen libtool libuuid-devel openldap-devel lua-devel libxml2-devel expat-devel db4-devel postgresql-devel sqlite-devel unixODBC-devel nss-devel apr-util-devel gcc make rpm-build perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker perl-WWW-Curl libXt-devel imake gtk2-devel krb5-devel pam-devel

2.2.2 准备rpmbuild构建目录

mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

BUILD: 用于存放编译过程中生成的文件
BUILDROOT：用于存放编译后的根文件系统
RPMS：用于存放编译后的 RPM 包
SOURCES：用于存放源代码包
SPECS：用于存放 RPM 规范文件
SRPMS：用于存放源 RPM 包

2.2.4 编译openssl rpm包

cp openssl-1.1.1w.tar.gz  ~/rpmbuild/SOURCES

openssl的spec文件需要自己写，默认不带

cd  ~/rpmbuild/SPECS/

vim openssl.spec

%define version 1.1.1w
%define release 17
%define sover 1.1

Summary: OpenSSL 1.1.1w for CentOS
Name: openssl
Version: %{?version}%{!?version:1.1.1w}
Release: %{release}%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+

Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz

BuildRequires: make gcc perl perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/local/openssl

%description
https://github.com/philyuchkoff/openssl-RPM-Builder
OpenSSL RPM for version 1.1.1w on CentOS

%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}

%description devel
OpenSSL RPM for version 1.1.1w on CentOS (development package)

%package        libs
Summary:        OpenSSL shared libraries
License:        OpenSSL
Group:          System Environment/Libraries
Obsoletes:      openssl-libs < %{version}-%{release}
Provides:       openssl-libs = %{version}-%{release}

%description libs
This package contains the shared libraries that are used by applications
linked against OpenSSL.

%prep
%setup -q

%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}

make -j$(nproc)

%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install

mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}

%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}

%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
%{_libdir}/libcrypto.so.%{sover}*
%{_libdir}/libssl.so.%{sover}*

%files devel
%{openssldir}/include/*
%defattr(-,root,root)

%files libs
%defattr(-,root,root,-)
%{_libdir}/libcrypto.so.%{sover}*
%{_libdir}/libssl.so.%{sover}*

%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig

执行编译

rpmbuild -D "version 1.1.1w" -ba openssl.spec

参数解释:

ba 构建源代码rpm包和二进制rpm包
bb 只构建二进制rpm包
bs 只构建源代码rpm包
bp 执行至％prep阶段（解压源并应用补丁）
bc 执行至％build阶段（％prep，然后编译）
bi 执行至％install阶段（％prep，％build，然后安装）
bl 验证％files部分，查看文件是否存在

编译完成后查看rpm包：

ls -hl ../RPMS/aarch64/openssl-*
-rw-r--r-- 1 root root 6.1M Aug  7 11:10 ../RPMS/aarch64/openssl-1.1.1w-17.el7.aarch64.rpm
-rw-r--r-- 1 root root 118K Aug  7 11:10 ../RPMS/aarch64/openssl-debuginfo-1.1.1w-17.el7.aarch64.rpm
-rw-r--r-- 1 root root 230K Aug  7 11:10 ../RPMS/aarch64/openssl-devel-1.1.1w-17.el7.aarch64.rpm
-rw-r--r-- 1 root root 2.4K Aug  7 11:10 ../RPMS/aarch64/openssl-libs-1.1.1w-17.el7.aarch64.rpm

2.2.5 安装openssl rpm

卸载后再安装

cd ../RPMS/aarch64
rpm -e openssl-1.0.2k --nodeps

rpm -ivh openssl-1.1.1w-17.el7.aarch64.rpm --nodeps --force
rpm -ivh openssl-devel-1.1.1w-17.el7.aarch64.rpm

3.3、openssh

3.3.1 下载

下载网址如下

https://src.fedoraproject.org/repo/pkgs/openssh/

下载目前的最新版

wget https://src.fedoraproject.org/repo/pkgs/openssh/openssh-9.8p1.tar.gz

openssh编译的时候需要用到x11-ssh-askpass，下载链接如下

wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz

3.3.2 编译openssh rpm包

cp openssh-9.8p1.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz  ~/rpmbuild/SOURCES
tar -xvf openssh-9.8p1.tar.gz
cp openssh-9.8p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/
cd ~/rpmbuild/SPECS/

修改openssh.spec，添加openssl支持

%configure \
        --sysconfdir=%{_sysconfdir}/ssh \
        --libexecdir=%{_libexecdir}/openssh \
        --datadir=%{_datadir}/openssh \
        --with-default-path=/usr/local/bin:/bin:/usr/bin \
        --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
        --with-privsep-path=%{_var}/empty/sshd \
        --mandir=%{_mandir} \
        --with-mantype=man \
        --disable-strip \
        --with-ssl-dir=/usr/local/openssl \
%if %{scard}
        --with-smartcard \
%endif
%if %{rescue}
        --without-pam \
%else
        --with-pam \
%endif
%if %{kerberos5}
         --with-kerberos5=$K5DIR \
%endif

编译

rpmbuild -ba openssh.spec

编译完成后查看rpm包：

ls -hl ../RPMS/aarch64/openssh*
-rw-r--r-- 1 root root 566K Aug  8 10:53 ../RPMS/aarch64/openssh-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root  44K Aug  8 10:53 ../RPMS/aarch64/openssh-askpass-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root  26K Aug  8 10:53 ../RPMS/aarch64/openssh-askpass-gnome-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 590K Aug  8 10:53 ../RPMS/aarch64/openssh-clients-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 3.4M Aug  8 10:53 ../RPMS/aarch64/openssh-debuginfo-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 493K Aug  8 10:53 ../RPMS/aarch64/openssh-server-9.8p1-1.el7.aarch64.rpm
(nova-ssh)[root@controller1 SPECS]#

3.3.3 安装ssh rpm

安装

cd ../RPMS/aarch64
rpm -Uvh openssh-*.rpm

3.3.4、启动服务

systemctl start sshd

4.问题记录

4.1 Can't locate IPC/Cmd.pm

在编译openssl 3.3.1的时候出现如下错误：

 ./config --prefix=/usr/local/openssl-3.3.1 --openssldir=/usr/lo
Can't locate IPC/Cmd.pm in @INC (@INC contains: /tmp/openssl-3.3.1/util/perl /usr/local/lib64/perl5 /usr/lo/perl/Text-Template-1.56/lib) at /tmp/openssl-3.3.1/util/perl/OpenSSL/config.pm line 19.
BEGIN failed--compilation aborted at /tmp/openssl-3.3.1/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /tmp/openssl-3.3.1/Configure line 23.
BEGIN failed--compilation aborted at /tmp/openssl-3.3.1/Configure line 23.

缺少依赖包

yum install perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker perl-WWW-Curl

4.2 /lib64/libssl.so.10: version 'libssl.so.10' not found and /lib64/libcrypto.so.10: version 'libcrypto.so.10' not found

安装openssl-libs-1.1.1w-17.el7.aarch64.rpm升级包后，执行yum命令出现如下问题

There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   /lib64/libcrypto.so.10: version `libcrypto.so.10' not found (required by /usr/lib64/python2.7/lib-dynload/_hashlib.so)

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.7.5 (default, Aug  7 2019, 00:57:09)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

If you cannot solve this problem yourself, please go to
the yum faq at:
  http://yum.baseurl.org/wiki/Faq

通过建立新库的链接无法解决，原因是yum等依赖旧的的libssl和libcrypto库，拷贝旧库进去，重新链接下解决问题如下：

ln -sf libssl.so.1.0.2k libssl.so.10
ln -sf libcrypto.so.1.0.2k libcrypto.so.10

或者不安装openssl-libs-1.1.1w-17.el7.aarch64.rpm，保留原来的库