อัพเดต Ubuntu Precise 12.04 หนี Heartbleed

วงการ admin สะเทือน งานเข้ากันเต็มๆ เมื่อ ssl library ยอดฮิต อย่าง openssl เป็นเป้า ตาม Heartbleed attack เลยต้องอัพเดต กัน โดยเฉพาะเครื่องเก่าๆ ส่วนผม มีเครื่องนึงที่เป็น ubuntu precise 12.04 เลยต้องลงไม้ลงมือกันหน่อย

ที่ทำไม่ได้ไรมาก จากการตรวจสอบ พบว่า ตาม USN-2165-1: OpenSSL vulnerabilities http://www.ubuntu.com/usn/usn-2165-1/ ได้ระบุวิธีไว้แล้ว
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.12

พอดู เป็นลิงก์ไปยัง source package
เริ่มจาก update source กัน .ให้แน่ใจว่าเปิด repo precise-security/main อยู่ แล้ว
จากนั้นติดตั้ง package ที่จำเป็นในการ build

  1. root@campus:~# apt-get update
  2. root@campus:~# apt-get upgrade
  3. root@campus:~# apt-get install devscripts
  4. root@campus:~# apt-get build-dep openssl
  5. root@campus:~# apt-get source openssl
  6. root@campus:~# apt-get source openssl
  7. Reading package lists... Done
  8. Building dependency tree      
  9. Reading state information... Done
  10. NOTICE: 'openssl' packaging is maintained in the 'Svn' version control system at:
  11. svn://svn.debian.org/pkg-openssl/openssl/
  12. Need to get 4592 kB of source archives.
  13. Get:1 http://mirror.kku.ac.th/ubuntu/ precise-security/main openssl 1.0.1-4ubuntu5.12 (dsc) [2365 B]
  14. Get:2 http://mirror.kku.ac.th/ubuntu/ precise-security/main openssl 1.0.1-4ubuntu5.12 (tar) [4454 kB]
  15. Get:3 http://mirror.kku.ac.th/ubuntu/ precise-security/main openssl 1.0.1-4ubuntu5.12 (diff) [136 kB]
  16. Fetched 4592 kB in 0s (27.9 MB/s)
  17. gpgv: Signature made Tue Apr  8 03:19:33 2014 ICT using RSA key ID A744BE93
  18. gpgv: Can't check signature: public key not found
  19. dpkg-source: warning: failed to verify signature on ./openssl_1.0.1-4ubuntu5.12.dsc
  20. dpkg-source: info: extracting openssl in openssl-1.0.1
  21. dpkg-source: info: unpacking openssl_1.0.1.orig.tar.gz
  22. dpkg-source: info: unpacking openssl_1.0.1-4ubuntu5.12.debian.tar.gz
  23. dpkg-source: info: applying ca.patch
  24. dpkg-source: info: applying config-hurd.patch
  25. dpkg-source: info: applying debian-targets.patch
  26. dpkg-source: info: applying engines-path.patch
  27. dpkg-source: info: applying make-targets.patch
  28. dpkg-source: info: applying man-dir.patch
  29. dpkg-source: info: applying man-section.patch
  30. dpkg-source: info: applying no-rpath.patch
  31. dpkg-source: info: applying no-symbolic.patch
  32. dpkg-source: info: applying pic.patch
  33. dpkg-source: info: applying valgrind.patch
  34. dpkg-source: info: applying rehash-crt.patch
  35. dpkg-source: info: applying rehash_pod.patch
  36. dpkg-source: info: applying shared-lib-ext.patch
  37. dpkg-source: info: applying stddef.patch
  38. dpkg-source: info: applying version-script.patch
  39. dpkg-source: info: applying gnu_source.patch
  40. dpkg-source: info: applying c_rehash-compat.patch
  41. dpkg-source: info: applying libdoc-manpgs-pod-spell.patch
  42. dpkg-source: info: applying libssl-misspell.patch
  43. dpkg-source: info: applying openssl-pod-misspell.patch
  44. dpkg-source: info: applying pod_req_misspell2.patch
  45. dpkg-source: info: applying pod_pksc12.misspell.patch
  46. dpkg-source: info: applying pod_s_server.misspell.patch
  47. dpkg-source: info: applying pod_x509setflags.misspell.patch
  48. dpkg-source: info: applying pod_ec.misspell.patch
  49. dpkg-source: info: applying pkcs12-doc.patch
  50. dpkg-source: info: applying dgst_hmac.patch
  51. dpkg-source: info: applying block_diginotar.patch
  52. dpkg-source: info: applying block_digicert_malaysia.patch
  53. dpkg-source: info: applying no_ssl2.patch
  54. dpkg-source: info: applying vpaes.patch
  55. dpkg-source: info: applying tls1.2_client_algorithms.patch
  56. dpkg-source: info: applying perlpath-quilt.patch
  57. dpkg-source: info: applying tls12_workarounds.patch
  58. dpkg-source: info: applying ubuntu_deb676533_arm_asm.patch
  59. dpkg-source: info: applying CVE-2012-2110.patch
  60. dpkg-source: info: applying CVE-2012-2110b.patch
  61. dpkg-source: info: applying CVE-2012-2333.patch
  62. dpkg-source: info: applying CVE-2012-0884-extra.patch
  63. dpkg-source: info: applying lp1018998.patch
  64. dpkg-source: info: applying lp1020621.patch
  65. dpkg-source: info: applying lp973741.patch
  66. dpkg-source: info: applying CVE-2013-0166.patch
  67. dpkg-source: info: applying CVE-2013-0169.patch
  68. dpkg-source: info: applying fix_key_decoding_deadlock.patch
  69. dpkg-source: info: applying openssl-1.0.1e-env-zlib.patch
  70. dpkg-source: info: applying CVE-2013-4353.patch
  71. dpkg-source: info: applying CVE-2013-6449.patch
  72. dpkg-source: info: applying CVE-2013-6450.patch
  73. dpkg-source: info: applying no_default_rdrand.patch
  74. dpkg-source: info: applying CVE-2014-0076.patch
  75. dpkg-source: info: applying CVE-2014-0160.patch
  76. openssl-1.0.1                            openssl_1.0.1.orig.tar.gz
  77. openssl_1.0.1-4ubuntu5.12.debian.tar.gz  openssl_1.0.1-4ubuntu5.12.dsc
  78. root@campus:~# cd openssl-1.0.1/
  79. root@campus:~/openssl-1.0.1# dpkg-buildpackage -us -uc -nc

จากนั้น ระบบจะเริ่ม compile deb package ทั้งหมดที่ได้รับไว้ใน spec file
เมื่อเสร็จสิ้น จะได้ dpkg เพื่อลงทับอันเก่า

  1. root@campus:~/openssl-1.0.1# cd ..
  2. libssl1.0.0-udeb_1.0.1-4ubuntu5.12_amd64.udeb
  3. libssl1.0.0_1.0.1-4ubuntu5.12_amd64.deb
  4. openssl-1.0.1
  5. openssl_1.0.1-4ubuntu5.12.debian.tar.gz
  6. openssl_1.0.1-4ubuntu5.12.dsc
  7. openssl_1.0.1-4ubuntu5.12_amd64.changes
  8. libcrypto1.0.0-udeb_1.0.1-4ubuntu5.12_amd64.udeb  openssl_1.0.1-4ubuntu5.12_amd64.deb
  9. libssl-dev_1.0.1-4ubuntu5.12_amd64.deb            openssl_1.0.1.orig.tar.gz
  10. libssl-doc_1.0.1-4ubuntu5.12_all.deb          libssl1.0.0-dbg_1.0.1-4ubuntu5.12_amd64.deb
  11.  
  12. root@campus:~# dpkg -i *.deb
  13. (Reading database ... 248296 files and directories currently installed.)
  14. Preparing to replace libssl1.0.0 1.0.1-4ubuntu5.12 (using libssl1.0.0_1.0.1-4ubuntu5.12_amd64.deb) ...
  15. Unpacking replacement libssl1.0.0 ...
  16. Selecting previously unselected package libssl1.0.0-dbg.
  17. Unpacking libssl1.0.0-dbg (from libssl1.0.0-dbg_1.0.1-4ubuntu5.12_amd64.deb) ...
  18. Preparing to replace libssl-dev 1.0.1-4ubuntu5.12 (using libssl-dev_1.0.1-4ubuntu5.12_amd64.deb) ...
  19. Unpacking replacement libssl-dev ...
  20. Preparing to replace libssl-doc 1.0.1-4ubuntu5.12 (using libssl-doc_1.0.1-4ubuntu5.12_all.deb) ...
  21. Unpacking replacement libssl-doc ...
  22. Preparing to replace openssl 1.0.1-4ubuntu5.12 (using openssl_1.0.1-4ubuntu5.12_amd64.deb) ...
  23. Unpacking replacement openssl ...
  24. Setting up libssl1.0.0 (1.0.1-4ubuntu5.12) ...
  25. locale: Cannot set LC_CTYPE to default locale: No such file or directory
  26. locale: Cannot set LC_ALL to default locale: No such file or directory
  27. Setting up libssl1.0.0-dbg (1.0.1-4ubuntu5.12) ...
  28. Setting up libssl-dev (1.0.1-4ubuntu5.12) ...
  29. Setting up libssl-doc (1.0.1-4ubuntu5.12) ...
  30. Setting up openssl (1.0.1-4ubuntu5.12) ...
  31. Processing triggers for man-db ...
  32. locale: Cannot set LC_CTYPE to default locale: No such file or directory
  33. locale: Cannot set LC_ALL to default locale: No such file or directory
  34. Processing triggers for libc-bin ...
  35. ldconfig deferred processing now taking place
  36. root@campus:~# apt-get -f install
  37. Reading package lists... Done
  38. Building dependency tree      
  39. Reading state information... Done
  40. 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

ตรวจสอบ version openssl ในระบบ

  1. root@campus:~# dpkg -l | grep openssl
  2. ii  openssl                                   1.0.1-4ubuntu5.12                 Secure Socket Layer (SSL) binary and related cryptographic tools

ทดสอบกับเครื่องมือ

แค่นี้น่าจะพอไหว :P