CentOS 6 OpenSSL Padding Oracle 漏洞(CVE-2016-2107)

CentOS 6 OpenSSL Padding Oracle 漏洞(CVE-2016-2107)

由于 ,我在 ssllabs.com 上获得了非常差的总体评价OpenSSL Padding Oracle Vulnerability (CVE-2016-2107)

这是我目前正在使用的(生产环境):

  • Openssl 1.0.1e
  • CentOS 6.5
  • Apache 2.2.26(手动安装;即这里不使用 yum)

更多详情请点击这里:

yum info openssl

Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 57.el6
Size        : 4.1 M
Repo        : installed
From repo   : base
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

Available Packages
Name        : openssl
Arch        : i686
Version     : 1.0.1e
Release     : 57.el6
Size        : 1.5 M
Repo        : base
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

rpm -q --changelog "openssl" | head -n 7
* Tue Jan 31 2017 Tomáš Mráz <[email protected]> 1.0.1e-57
- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher

* Wed Nov 02 2016 Tomáš Mráz <[email protected]> 1.0.1e-55
- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts

* Sat Oct 22 2016 Tomáš Mráz <[email protected]> 1.0.1e-54

ldd mod_ssl.so
ldd: ./mod_ssl.so: No such file or directory

tail -n 200 error_log | grep notice
[Tue Mar 20 14:38:24 2018] [notice] Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1h mod_perl/2.0.5 Perl/v5.10.1 configured -- resuming normal operations

rpm -qa |grep openssl
openssl-1.0.1e-57.el6.x86_64

我该如何解决这个问题?我现在无法升级我的 CentOS 6.5。而且,yum upgrade openssl什么也没有返回。

编辑:

/usr/local/apache2/bin/apachectl -M
Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_default_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_default_module (static)
 auth_basic_module (static)
 include_module (static)
 filter_module (static)
 deflate_module (static)
 log_config_module (static)
 env_module (static)
 expires_module (static)
 headers_module (static)
 setenvif_module (static)
 version_module (static)
 proxy_module (static)
 proxy_connect_module (static)
 proxy_ftp_module (static)
 proxy_ht

答案1

您可以尝试查看是否有人构建了可安装在您的系统上的 OpenSSL 和 Apache 的单独软件包。

然而,考虑到操作系统的年龄,您确实应该升级整个系统,因为该操作系统存在多个漏洞。

相关内容