该文主要针对CVE-2020-1971
漏洞,提供的Openssl升级方案。且提供排查服务使用openssl方法。
openssl 1.0.2 用户
Openssl官方提示:OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
,也就是说,1.0.2不维护了,不对公众提供支持了。这个时候,我们怎么修复CVE-2020-1971呢?
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
1、官网下载对外发行的1.0.2u版本
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
2、解压缩
tar -zvxf openssl-1.0.2u.tar.gz
3、下载并替换 crypto/x509v3/v3_genn.c
文件
wget https://purpleroc-blog-8gymra6s96518e6a-1253382304.tcloudbaseapp.com/v3_genn.c -O openssl-1.0.2u/crypto/x509v3/v3_genn.c
或自行修改,文件改动如下:
diff crypto/x509v3/v3_genn.c crypto/x509v3/v3_genn.c_bak110,140d109< static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)< {
< int res;<< if (a == NULL || b == NULL) {
< /*< * Shouldn't be possible in a valid GENERAL_NAME, but we handle it