升级OpenSSL 修复Heartbleed安全bug(CVE-2014-0160)

CVE site: http://cve.mitre.org/

CVE detail: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

CVE detail: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

More: http://heartbleed.com/

～

问题描述：OpenSSL处理TLS和DTLS心跳扩展包时有信息泄漏缺陷。TLS或DTLS客户端或服务器，可以通过发送特殊制造的TLS或DTLS心跳包，来透视连接的客户端或服务器限制访问的可能包含敏感信息的内存。

～

Bug引入：http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4817504

Bug修复：http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902

～

解决方法：升级 openssl，使用 Heartbleed 探测工具【1】【2】重新扫描系统，确保安全。

～

• Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1084875
• Red Hat solution: https://access.redhat.com/site/solutions/781793
• Red Hat CVE database: https://access.redhat.com/security/cve/CVE-2014-0160

• RHEL7 beta: openssl-1.0.1e-16.el6_5.7
• RHEL6: openssl-1.0.1e-34.el7
• Fedora: openssl-1.0.1e-37.fc20.1.x86_64

【1】https://access.redhat.com/site/labsinfo/heartbleed
【2】https://github.com/gavin-romig-koch/heartbleed

From: http://www.openssl.org/news/secadv_20140407.txt
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

# rpm -qi openssl --changelog
....
* Mon Apr 07 2014 Dennis Gilmore <dennis@ausil.us> - 1.0.1e-37.1
- pull in upstream patch for CVE-2014-0160
- removed CHANGES file portion from patch for expediency

[amos@amosk tmp]$ python heartbleed-poc.py amosk.info
Scanning amosk.info on port 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
Message Type is 0x02
 ... received message: type = 22, ver = 0302, length = 2555
Message Type is 0x0B
 ... received message: type = 22, ver = 0302, length = 331
Message Type is 0x0C
 ... received message: type = 22, ver = 0302, length = 4
Message Type is 0x0E
Server sent server hello done
Server TLS version was 1.2

Sending heartbeat request...
No heartbeat response received from amosk.info, server likely not vulnerable