又是一波漏洞——OpenSSL来袭

昨天晚上才要死要活的把survey.dreamprc.com的https用StartSSL部署起来了(不信的点我),

结果今天一早起来各种“互联网的安全被颠覆”之类的报道就映入眼帘,然后……

补洞呗!

考虑到这个漏洞的影响范围,OpenSSL应该是迅速就能推出更新的。在早上8点多的时候(注意到的比较晚。。。),

去OpenSSL的官网(打开来的时候真的有点小卡,估计各路大神都来围观了),已经看到了声明

OpenSSL Security Advisory [07 Apr 2014]
==========================================
TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

嗯,考虑到那时候已经出1.0.1g更新了,于是直接

wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz

然后切入下载文档的目录,

tar zxf openssl-1.0.1g.tar.gz|cd openssl-1.0.1g/

开始配置,当然也可以apt-get update; apt-get upgrade.

./configure 
make -j5 #4线程同步,加快编译速度

不一会,新版的,修复好漏洞的OpenSSL就能开始工作了~

(更多…)