OpenSSL Security Vulnerability

[X-Hosted]

At the moment many webservers are in danger, a bug had been discovered in OpenSSL that makes it possible to exploit some certificate and login as root without a password !!

References:

http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-4339
http://www.openssl.org/news/secadv_20060905.txt

All versions before 0.9.7j en 0.9.8b are affected.

How to check version:
# openssl version

How to upate:
Any 1? Weal?

Thanks to 'Frans van Nispen', Original poster (in dutch) on webhostingtalk.nl (http://www.webhostingtalk.nl/directadmin/102938-groot-security-risico-openssl.html)

 

[IceHosting]

@x-hosted

http://www.directadmin.com/forum/showthread.php?s=&threadid=12099&highlight=update+exim

cd /usr/local/directadmin/customapache/update
nano update.script


Change:

OPENSSL=0.9.8b

To

OPENSSL=0.9.8c

Save & exit

Run the script again.

 

[MartijnHOS]

After you upgrade OpenSSL you have to update/rebuild apache.

how?

And what does de ./build update (customapache) do? Do i have to reinstall mod_security

kind regards

martijn

 

[@how@]

cd /usr/local/directadmin/customapache/update
./update.script
run update to update script the have fun


Wael

 

[MartijnHOS]

Hi Wael,

this is your code for updating openssl

doOPENSSL()
{
cd /usr/local/directadmin/customapache/update ;
rm -rf openssl-*.tar.gz ;
wget http://www.openssl.org/source/openssl-$OPENSSL.tar.gz ;
tar xvzf openssl-$OPENSSL.tar.gz ; cd openssl-OPENSSL/ ;
rm -rf /usr/lib/libssl.so.0 ; rm -rf /usr/lib/libssl.so ;
rm -rf /lib/libssl.so.2 ; rm -rf /usr/lib/libcrypto.so.0 ;
./config --prefix=/usr no-threads shared ; make ; make test ;
make install ; echo "/usr/local/ssl/lib" >>
/etc/ld.so.conf ; /sbin/ldconfig -v ; rm -f /lib/libssl.so.4 ;
rm -f /usr/lib/libcrypto.so.0 ; ln -s /usr/lib/libssl.so.0.9.8 /lib/libssl.so.4 ;
ln -s /usr/lib/libcrypto.so.0.9.8
/usr/lib/libcrypto.so.0 ; echo ; echo ;
cd /usr/local/directadmin/customapache/update ; echo "Openssl install/update done" ; exit

}

where is the update/rebuild apache code?

kind regards,

martijn

 

[@how@]

Hi Wael,

this is your code for updating openssl

doOPENSSL()
{
cd /usr/local/directadmin/customapache/update ;
rm -rf openssl-*.tar.gz ;
wget http://www.openssl.org/source/openssl-$OPENSSL.tar.gz ;
tar xvzf openssl-$OPENSSL.tar.gz ; cd openssl-OPENSSL/ ;
rm -rf /usr/lib/libssl.so.0 ; rm -rf /usr/lib/libssl.so ;
rm -rf /lib/libssl.so.2 ; rm -rf /usr/lib/libcrypto.so.0 ;
./config --prefix=/usr no-threads shared ; make ; make test ;
make install ; echo "/usr/local/ssl/lib" >>
/etc/ld.so.conf ; /sbin/ldconfig -v ; rm -f /lib/libssl.so.4 ;
rm -f /usr/lib/libcrypto.so.0 ; ln -s /usr/lib/libssl.so.0.9.8 /lib/libssl.so.4 ;
ln -s /usr/lib/libcrypto.so.0.9.8
/usr/lib/libcrypto.so.0 ; echo ; echo ;
cd /usr/local/directadmin/customapache/update ; echo "Openssl install/update done" ; exit

}

where is the update/rebuild apache code?

kind regards,

martijn

you need to read script post before you edit and reply ......
you update apache and php


Wael

 

[@how@]

After you upgrade OpenSSL you have to update/rebuild apache.

how?

And what does de ./build update (customapache) do? Do i have to reinstall mod_security

kind regards

martijn

rebuild apache and php N
no need to unstall mod_security ,,,,, etc again


Wael

 

[MartijnHOS]

do i have to rebould php?

kind regards

 

[@how@]

yesy you need to build php too
./build php n


Wael

 

[Mik3yZ]

what i did:

in the customapache/update folder:

./update.script UPDATEME
./update.script OPENSSL
cd ..
./build clean
./build all n

- Mike

PS. you need to have the all in one update script from wael for this

 

[jjma]

Would you not have to recompile openssh as well to use the new openssl.

Jon

 

[X-Hosted]

What for 64bit os'es? they cant user the openssl part off weals script

 

[bigboy]

update.script cannot support FreeBSD

 

[eymbo]

Would you not have to recompile openssh as well to use the new openssl.

Jon

Apparently you don't have to recompile openssh if updating openssl.

 

[Pascal]

Apparently you don't have to recompile openssh if updating openssl.

Apache, Curl and Exim too not, only PHP.

 

[MartijnHOS]

What i did was:

mkdir /usr/local/directadmin/customapache/update
cd /usr/local/directadmin/customapache/update
wget http://tools.web4host.net/update.script
chmod 755 update.script
./update.script OPENSSL
cd ..
./build all apache_mod_ssl
service httpd restart
./build php
service httpd restart

openssl version
OpenSSL 0.9.8c 05 Sep 2006

But in my phpinfo() i get:

openssl
OpenSSL support enabled
OpenSSL Version OpenSSL 0.9.7a Feb 19 2003

Why?

Kind regards

Martijn

 

[@how@]

What i did was:

mkdir /usr/local/directadmin/customapache/update
cd /usr/local/directadmin/customapache/update
wget http://tools.web4host.net/update.script
chmod 755 update.script
./update.script OPENSSL
cd ..
./build all apache_mod_ssl
service httpd restart
./build php
service httpd restart

openssl version
OpenSSL 0.9.8c 05 Sep 2006

But in my phpinfo() i get:

openssl
OpenSSL support enabled
OpenSSL Version OpenSSL 0.9.7a Feb 19 2003

Why?

Kind regards

Martijn

./build all y

 

[MartijnHOS]

Hi Wael,

That doesn't work. the problem is that i had 0.9.7a and upgraded to 0.9.8c One link isn't correct, this is in the /lib dir

-rwxr-xr-x 1 root root 211908 Sep 8 11:16 libssl.so.0.9.7a
lrwxrwxrwx 1 root root 24 Sep 9 10:46 libssl.so.4 -> /usr/lib/libssl.so.0.9.8

Do you know what to do?

Kind regards,

Martij

 

[@how@]

Hi Wael,

That doesn't work. the problem is that i had 0.9.7a and upgraded to 0.9.8c One link isn't correct, this is in the /lib dir

-rwxr-xr-x 1 root root 211908 Sep 8 11:16 libssl.so.0.9.7a
lrwxrwxrwx 1 root root 24 Sep 9 10:46 libssl.so.4 -> /usr/lib/libssl.so.0.9.8

Do you know what to do?

Kind regards,

Martij

try

rm -f /lib/libssl.so.4
rm -f /usr/lib/libcrypto.so.0
ln -s /usr/lib/libssl.so.0.9.8 /lib/libssl.so.4
ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.0
openssl version

Wael

 

[fwpeter]

Is it safe to update this when I'm using a SSH connection during the update?

Can't take a risk, box is too far away