如何修复 Ubuntu/Apache/PHP 上的 Padding Oracle (CVE-2016-2107)

tag-icon tag-icon php apache-2.4 openssl vulnerability
如何修复 Ubuntu/Apache/PHP 上的 Padding Oracle (CVE-2016-2107)

我正在尝试修复 CVE-2016-2107。

我咨询了几个网站,但似乎并没有为所有情况提供明确的答案:

我使用 Apache2 2.4.12 和 PHP 5.5.26。

我跑了:apt-get install openssl libssl-devsudo apt-get install libssl1.0.0

它安装了新的 OpenSSL,但是 Apache/PHP 仍然使用旧的安装,phpinfo() 显示:

openssl
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version  OpenSSL 1.0.1f 6 Jan 2014

证明新的 OpenSSL 已安装:

ubuntu@ip-xxxxx:/usr/bin$ openssl version
OpenSSL 1.0.2h  3 May 2016

dpkg -l | grep ssl
ii  libflac8:amd64                           1.3.0-2ubuntu0.14.04.1               amd64        Free Lossless Audio Codec - runtime C library
ii  libgnutls-openssl27:amd64                2.12.23-12ubuntu2.2                  amd64        GNU TLS library - OpenSSL wrapper
ii  libio-socket-ssl-perl                    1.965-1ubuntu1                       all          Perl module implementing object oriented interface to SSL sockets
ii  libnet-smtp-ssl-perl                     1.01-3                               all          Perl module providing SSL support to Net::SMTP
ii  libnet-ssleay-perl                       1.58-1                               amd64        Perl module for Secure Sockets Layer (SSL)
ii  libssl-dev:amd64                         1.0.2h-1+deb.sury.org~trusty+1       amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                               1.0.1f-1ubuntu2.15                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.0:amd64                        1.0.1f-1ubuntu2.19                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.0.2:amd64                        1.0.2h-1+deb.sury.org~trusty+1       amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl                                  1.0.2h-1+deb.sury.org~trusty+1       amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  python-openssl                           0.13-2ubuntu6                        amd64        Python 2 wrapper around the OpenSSL library
ii  ssl-cert                                 1.0.33                               all          simple debconf wrapper for OpenSSL

apt-cache policy libssl1.0.2.
libssl1.0.2-dbg:
  Installed: (none)
  Candidate: 1.0.2h-1+deb.sury.org~trusty+1
  Version table:
     1.0.2h-1+deb.sury.org~trusty+1 0
        500 http://ppa.launchpad.net/ondrej/php5/ubuntu/ trusty/main amd64 Packages

ubuntu@ip-xxxxx:/usr/bin$ apt-cache policy libssl-dev
libssl-dev:
  Installed: 1.0.2h-1+deb.sury.org~trusty+1
  Candidate: 1.0.2h-1+deb.sury.org~trusty+1
  Version table:
 *** 1.0.2h-1+deb.sury.org~trusty+1 0
        500 http://ppa.launchpad.net/ondrej/php5/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1f-1ubuntu2.19 0
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     1.0.1f-1ubuntu2 0
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

有人能帮我告诉 Apache/PHP 有关新的 OpenSSL 安装吗?谢谢!

答案1

我认为您使用的是旧版 PHP 5.5,它与旧版 SSL 库链接。因此未使用当前 SSL 库。您也可以尝试升级 PHP 包。

相关内容