1、openssh和openssl安全漏洞
OpenSSH 命令注入漏洞(CVE-2020-15778)
OpenSSH 用户枚举漏洞(CVE-2018-15919)
OpenSSH 安全漏洞(CVE-2017-15906)
OpenSSL 安全漏洞(CVE-2018-0732)
OpenSSL 安全漏洞(CVE-2017-3735)
OpenSSL 信息泄露漏洞(CVE-2017-3736)
OpenSSL 安全限制绕过漏洞(CVE-2017-3737)
OpenSSL 旁道攻击信息泄露漏洞(CVE-2018-0734)
OpenSSL 安全漏洞(CVE-2019-1547)
OpenSSL 缓冲区错误漏洞(CVE-2019-1551)
OpenSSL rsaz_1024_mul_avx2溢出信息泄露漏洞(CVE-2017-3738)
OpenSSL旁道攻击信息泄露漏洞(CVE-2018-0737)
OpenSSL 信息泄露漏洞(CVE-2018-5407)
2、openssl
2.1、下载
下载网址如下
https://openssl-library.org/source/old/index.html
下载1.1.1w的版本
wget https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz
2.2、编译 openssl rpm包
2.2.1 安装rpmbuild等依赖包
yum install autoconf doxygen libtool libuuid-devel openldap-devel lua-devel libxml2-devel expat-devel db4-devel postgresql-devel sqlite-devel unixODBC-devel nss-devel apr-util-devel gcc make rpm-build perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker perl-WWW-Curl libXt-devel imake gtk2-devel krb5-devel pam-devel
2.2.2 准备rpmbuild构建目录
mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
- BUILD: 用于存放编译过程中生成的文件
- BUILDROOT:用于存放编译后的根文件系统
- RPMS:用于存放编译后的 RPM 包
- SOURCES:用于存放源代码包
- SPECS:用于存放 RPM 规范文件
- SRPMS:用于存放源 RPM 包
2.2.4 编译openssl rpm包
cp openssl-1.1.1w.tar.gz ~/rpmbuild/SOURCES
openssl的spec文件需要自己写,默认不带
cd ~/rpmbuild/SPECS/
vim openssl.spec
%define version 1.1.1w
%define release 17
%define sover 1.1
Summary: OpenSSL 1.1.1w for CentOS
Name: openssl
Version: %{?version}%{!?version:1.1.1w}
Release: %{release}%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+
Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires: make gcc perl perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/local/openssl
%description
https://github.com/philyuchkoff/openssl-RPM-Builder
OpenSSL RPM for version 1.1.1w on CentOS
%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
OpenSSL RPM for version 1.1.1w on CentOS (development package)
%package libs
Summary: OpenSSL shared libraries
License: OpenSSL
Group: System Environment/Libraries
Obsoletes: openssl-libs < %{version}-%{release}
Provides: openssl-libs = %{version}-%{release}
%description libs
This package contains the shared libraries that are used by applications
linked against OpenSSL.
%prep
%setup -q
%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make -j$(nproc)
%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}
%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
%{_libdir}/libcrypto.so.%{sover}*
%{_libdir}/libssl.so.%{sover}*
%files devel
%{openssldir}/include/*
%defattr(-,root,root)
%files libs
%defattr(-,root,root,-)
%{_libdir}/libcrypto.so.%{sover}*
%{_libdir}/libssl.so.%{sover}*
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
执行编译
rpmbuild -D "version 1.1.1w" -ba openssl.spec
参数解释:
- ba 构建源代码rpm包和二进制rpm包
- bb 只构建二进制rpm包
- bs 只构建源代码rpm包
- bp 执行至%prep阶段(解压源并应用补丁)
- bc 执行至%build阶段(%prep,然后编译)
- bi 执行至%install阶段(%prep,%build,然后安装)
- bl 验证%files部分,查看文件是否存在
编译完成后查看rpm包:
ls -hl ../RPMS/aarch64/openssl-*
-rw-r--r-- 1 root root 6.1M Aug 7 11:10 ../RPMS/aarch64/openssl-1.1.1w-17.el7.aarch64.rpm
-rw-r--r-- 1 root root 118K Aug 7 11:10 ../RPMS/aarch64/openssl-debuginfo-1.1.1w-17.el7.aarch64.rpm
-rw-r--r-- 1 root root 230K Aug 7 11:10 ../RPMS/aarch64/openssl-devel-1.1.1w-17.el7.aarch64.rpm
-rw-r--r-- 1 root root 2.4K Aug 7 11:10 ../RPMS/aarch64/openssl-libs-1.1.1w-17.el7.aarch64.rpm
2.2.5 安装openssl rpm
卸载后再安装
cd ../RPMS/aarch64
rpm -e openssl-1.0.2k --nodeps
rpm -ivh openssl-1.1.1w-17.el7.aarch64.rpm --nodeps --force
rpm -ivh openssl-devel-1.1.1w-17.el7.aarch64.rpm
3.3、openssh
3.3.1 下载
下载网址如下
https://src.fedoraproject.org/repo/pkgs/openssh/
下载目前的最新版
wget https://src.fedoraproject.org/repo/pkgs/openssh/openssh-9.8p1.tar.gz
openssh编译的时候需要用到x11-ssh-askpass,下载链接如下
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz
3.3.2 编译openssh rpm包
cp openssh-9.8p1.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz ~/rpmbuild/SOURCES
tar -xvf openssh-9.8p1.tar.gz
cp openssh-9.8p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/
cd ~/rpmbuild/SPECS/
修改openssh.spec,添加openssl支持
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
--mandir=%{_mandir} \
--with-mantype=man \
--disable-strip \
--with-ssl-dir=/usr/local/openssl \
%if %{scard}
--with-smartcard \
%endif
%if %{rescue}
--without-pam \
%else
--with-pam \
%endif
%if %{kerberos5}
--with-kerberos5=$K5DIR \
%endif
编译
rpmbuild -ba openssh.spec
编译完成后查看rpm包:
ls -hl ../RPMS/aarch64/openssh*
-rw-r--r-- 1 root root 566K Aug 8 10:53 ../RPMS/aarch64/openssh-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 44K Aug 8 10:53 ../RPMS/aarch64/openssh-askpass-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 26K Aug 8 10:53 ../RPMS/aarch64/openssh-askpass-gnome-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 590K Aug 8 10:53 ../RPMS/aarch64/openssh-clients-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 3.4M Aug 8 10:53 ../RPMS/aarch64/openssh-debuginfo-9.8p1-1.el7.aarch64.rpm
-rw-r--r-- 1 root root 493K Aug 8 10:53 ../RPMS/aarch64/openssh-server-9.8p1-1.el7.aarch64.rpm
(nova-ssh)[root@controller1 SPECS]#
3.3.3 安装ssh rpm
安装
cd ../RPMS/aarch64
rpm -Uvh openssh-*.rpm
3.3.4、启动服务
systemctl start sshd
4.问题记录
4.1 Can't locate IPC/Cmd.pm
在编译openssl 3.3.1的时候出现如下错误:
./config --prefix=/usr/local/openssl-3.3.1 --openssldir=/usr/lo
Can't locate IPC/Cmd.pm in @INC (@INC contains: /tmp/openssl-3.3.1/util/perl /usr/local/lib64/perl5 /usr/lo/perl/Text-Template-1.56/lib) at /tmp/openssl-3.3.1/util/perl/OpenSSL/config.pm line 19.
BEGIN failed--compilation aborted at /tmp/openssl-3.3.1/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /tmp/openssl-3.3.1/Configure line 23.
BEGIN failed--compilation aborted at /tmp/openssl-3.3.1/Configure line 23.
缺少依赖包
yum install perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker perl-WWW-Curl
4.2 /lib64/libssl.so.10: version 'libssl.so.10' not found and /lib64/libcrypto.so.10: version 'libcrypto.so.10' not found
安装openssl-libs-1.1.1w-17.el7.aarch64.rpm升级包后,执行yum命令出现如下 问题
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:
/lib64/libcrypto.so.10: version `libcrypto.so.10' not found (required by /usr/lib64/python2.7/lib-dynload/_hashlib.so)
Please install a package which provides this module, or
verify that the module is installed correctly.
It's possible that the above module doesn't match the
current version of Python, which is:
2.7.5 (default, Aug 7 2019, 00:57:09)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
If you cannot solve this problem yourself, please go to
the yum faq at:
http://yum.baseurl.org/wiki/Faq
通过建立新库的链接无法解决,原因是yum等依赖旧的的libssl和libcrypto库,拷贝旧库进去,重新链接下解决问题如下:
ln -sf libssl.so.1.0.2k libssl.so.10
ln -sf libcrypto.so.1.0.2k libcrypto.so.10
或者不安装openssl-libs-1.1.1w-17.el7.aarch64.rpm,保留原来的库
5.参考文献
- https://adbin.github.io/linux/centos/7/openssh/rpm/2019/12/06/centos7.6-build-openssh8.1p1-rpm.html
- https://www.lemonsys.cn/tech_631/
- https://www.superheaoz.top/2023/05/34807/
- https://blog.mdzz.wang/2024/03/07/081.openssl_rpm_build/
- https://blog.csdn.net/lh1121___/article/details/140158932
- https://blog.csdn.net/huhahuhahu/article/details/111242945
- https://www.netimed.cn/project-1/doc-430/
- https://blog.csdn.net/turnaroundfor/article/details/86076214
- https://developer.aliyun.com/article/1100562