读书须用意,一字值千金

Oneinstack手动修复OpenSSL OCSP

参考:
http://security.360.cn/cve/CVE-2016-6304/CN.html
https://www.openssl.org/news/secadv/20160922.txt

目前“Oneinstack”、“LNMP一键包”默认的OpenSSL版本都不是最新版,修复此漏洞需要重新编译。

Oneinstack不要用openssl version查看版本号,要用nginx -V查看版本号。

1、查看nginx

nginx -V

查看nginx版本和openssl版本,顺便复制configure arguments后面的全部内容,比如我的是:

–prefix=/usr/local/nginx –user=www –group=www –with-http_stub_status_module –with-http_v2_module –with-http_ssl_module –with-ipv6 –with-http_gzip_static_module –with-http_realip_module –with-http_flv_module –with-openssl=../openssl-1.0.2h –with-pcre=../pcre-8.39 –with-pcre-jit –with-ld-opt=-ljemalloc

2、下载源码

cd ~/oneinstack/src

下载对应的nginx:

wget http://mirrors.linuxeye.com/oneinstack/src/nginx-1.10.1.tar.gz

下载对应的openssl:

wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz 

(所有版本在这里 https://www.openssl.org/source/

3、解压:

tar xzvf openssl-1.0.2j.tar.gz
tar xzvf nginx-1.10.1.tar.gz

4、编译nginx:

cd nginx-1.10.1

#编译

./configure –prefix=/usr/local/nginx –user=www –group=www –with-http_stub_status_module –with-http_v2_module –with-http_ssl_module –with-ipv6 –with-http_gzip_static_module –with-http_realip_module –with-http_flv_module –with-openssl=../openssl-1.0.2j –with-pcre=../pcre-8.39 –with-pcre-jit –with-ld-opt=-ljemalloc
(主要修改–with-openssl=../openssl-1.0.2j ,其他不变)
make

mv /usr/local/nginx/sbin/nginx{,_`date +%m%d`} #备份现有nginx

cp objs/nginx /usr/local/nginx/sbin/ #更新nginx

service nginx restart #重启nginx

发表评论

电子邮件地址不会被公开, * 为必填项,必须包含中文,不能提交URL。