OpenSSL安全公告
OpenSSL发布了安全公告,发现1.0.1、1.0.2beta(包括1.0.1f和1.0.2beta1)版本存在【CVE-2014-0160】的高危漏洞,被SSL/TLS加密传输的信息可以被窃龋可行的方法就是尽快完成自查并升级到1.0.1g版本,避免因漏洞被黑客攻击而造成损失。下面是官方给的消息:OpenSSL Security Advisory [07 Apr 2014]
========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================
A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2.
修复方案:
第一步: Debian/Ubuntu:
# apt-get update!
# apt-get install openssl libssl1.0.0
CentOS:
# yum update openssl
第二步: 修复完毕后,请重启WEB服务,Apache/Nginx/Httpd的重启⽅方式分别如下:
# /etc/init.d/apache2 restart
# /etc/init.d/ngnix restart
# /etc/init.d/httpd restart
此外还需要重启其他与OpenSSL相关的服务。(可通过 lsof | grep libssl | awk '{print $1}'| sort | uniq 查看与OpenSSL库相关的服务)。
分享到: