Created
October 18, 2016 15:34
-
-
Save cuibonobo/f37f723d1ce77f68c5ddf324c8468da3 to your computer and use it in GitHub Desktop.
How to fix CVE-2016-2107 on an Nginx server in Centos 7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # You need this for your OpenSSL tests to pass later | |
| yum install perl-core | |
| # Grab the source for OpenSSL 1.1, which has the patch for CVE-2016-2107 | |
| cd /usr/local/src | |
| wget https://www.openssl.org/source/openssl-1.1.0b.tar.gz | |
| tar -zxf openssl-1.1.0b.tar.gz | |
| cd openssl-1.1.0b | |
| # Configure for your system and build | |
| ./config | |
| make | |
| # Run the tests to make sure there aren't any show-stoppers | |
| make test | |
| make install | |
| # These steps are super questionable and I welcome any better suggestions | |
| # Essentially I'm overriding the system's OpenSSL | |
| mv /usr/bin/openssl /root/ | |
| ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl | |
| rm /bin/openssl | |
| ln -s /usr/local/bin/openssl /bin/openssl | |
| # Restart Nginx so that it's aware of the changes (a reload is NOT enough!) | |
| systemctl restart nginx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For those that manually build Nginx with a specific version of OpenSSL, this may help:
#openSSL
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.0b.tar.gz
tar -zxf openssl-1.1.0b.tar.gz
cd openssl-1.1.0b
Configure for your system and build
./config
make
Run the tests to make sure there aren't any show-stoppers
make test
make install
mv /usr/bin/openssl /root/
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
rm /bin/openssl
ln -s /usr/local/bin/openssl /bin/openssl
cd /root/build
sudo wget http://nginx.org/download/nginx-1.13.1.tar.gz
sudo tar xzf nginx-1.13.1.tar.gz
cd nginx-1.13.1
sudo git clone git://github.com/arut/nginx-rtmp-module.git
sudo yum install git gcc make pcre-devel openssl-devel
wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz && tar xzvf openssl-1.1.0f.tar.gz
wget https://www.openssl.org/source/openssl-1.1.0b.tar.gz
tar -zxf openssl-1.1.0b.tar.gz
./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/nginx/ --modules-path=/usr/lib/nginx/modules --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-openssl=./openssl-1.1.0b --with-openssl-opt=enable-ec_nistp_64_gcc_128 --with-openssl-opt=no-nextprotoneg --with-openssl-opt=no-weak-ssl-ciphers --with-openssl-opt=no-ssl3 --with-pcre-jit --with-zlib=./zlib-1.2.11 --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_slice_module --with-http_ssl_module --with-http_sub_module --with-http_stub_status_module --with-http_v2_module --with-http_secure_link_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_realip_module --with-http_stub_status_module --add-module=./nginx-rtmp-module
make
make install