viernes, 13 de febrero de 2009

Parchando un OpenBSD 4.4

Revisando el OpenBSD Journal salieron dos ultimas vulnerabilidades contra OpenSSL y Bind.

A continuacion mostraremos como parchar nuestro OpenBSD.

Requisitos:

Tener las fuentes de nuestro OS, si no lo tenemos lo bajamos.
Nos ubicamos en la carpeta /usr/src y descargamos estos dos archivos.

#wget ftp://ftp.openbsd.org/pub/OpenBSD/4.4/src.tar.gz
#wget ftp://ftp.openbsd.org/pub/OpenBSD/4.4/sys.tar.gz

lo desempaquetamos con un tar zxvf src.tar.gz y tar zxvf sys.tar.gz
se crearan archivos en /usr/src y /usr/src/sys
luego descargamos los parches primero contra el OpenSSL

#wget ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch

hacemos un cat al 007_openssl.patch y nos indica como debemos parcharlo.

# cat 007_openssl.patch
Apply by doing:
cd /usr/src
patch -p0 < 007_openssl.patch

And then rebuild and install the library:
cd lib/libssl
make
make install

Procedemos a parcharlo:

patch -p0 < 007_openssl.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Apply by doing:
| cd /usr/src
| patch -p0 < 007_openssl.patch
|
|And then rebuild and install the library:
| cd lib/libssl
| make
| make install
|
|Index: lib/libssl/src/apps/speed.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/apps/speed.c,v
|retrieving revision 1.15
|diff -u -p -r1.15 speed.c
|--- lib/libssl/src/apps/speed.c 27 Jun 2006 05:06:54 -0000 1.15
|+++ lib/libssl/src/apps/speed.c 9 Jan 2009 06:58:51 -0000
--------------------------
Patching file lib/libssl/src/apps/speed.c using Plan A...
Hunk #1 succeeded at 1486.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/apps/spkac.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/apps/spkac.c,v
|retrieving revision 1.6
|diff -u -p -r1.6 spkac.c
|--- lib/libssl/src/apps/spkac.c 12 May 2003 02:18:35 -0000 1.6
|+++ lib/libssl/src/apps/spkac.c 9 Jan 2009 06:58:51 -0000
--------------------------
Patching file lib/libssl/src/apps/spkac.c using Plan A...
Hunk #1 succeeded at 284.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/apps/verify.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/apps/verify.c,v
|retrieving revision 1.7
|diff -u -p -r1.7 verify.c
|--- lib/libssl/src/apps/verify.c 29 Apr 2005 05:39:16 -0000 1.7
|+++ lib/libssl/src/apps/verify.c 9 Jan 2009 06:58:51 -0000
--------------------------
Patching file lib/libssl/src/apps/verify.c using Plan A...
Hunk #1 succeeded at 275.
Hunk #2 succeeded at 366.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/apps/x509.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/apps/x509.c,v
|retrieving revision 1.17
|diff -u -p -r1.17 x509.c
|--- lib/libssl/src/apps/x509.c 29 Apr 2005 05:39:16 -0000 1.17
|+++ lib/libssl/src/apps/x509.c 9 Jan 2009 06:58:51 -0000
--------------------------
Patching file lib/libssl/src/apps/x509.c using Plan A...
Hunk #1 succeeded at 1123.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/ssl/s2_clnt.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/ssl/s2_clnt.c,v
|retrieving revision 1.13
|diff -u -p -r1.13 s2_clnt.c
|--- lib/libssl/src/ssl/s2_clnt.c 4 Oct 2006 07:10:32 -0000 1.13
|+++ lib/libssl/src/ssl/s2_clnt.c 9 Jan 2009 06:58:51 -0000
--------------------------
Patching file lib/libssl/src/ssl/s2_clnt.c using Plan A...
Hunk #1 succeeded at 1062.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/ssl/s2_srvr.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/ssl/s2_srvr.c,v
|retrieving revision 1.11
|diff -u -p -r1.11 s2_srvr.c
|--- lib/libssl/src/ssl/s2_srvr.c 27 Jun 2006 05:07:03 -0000 1.11
|+++ lib/libssl/src/ssl/s2_srvr.c 9 Jan 2009 06:58:52 -0000
--------------------------
Patching file lib/libssl/src/ssl/s2_srvr.c using Plan A...
Hunk #1 succeeded at 1070.
Hunk #2 succeeded at 1099.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/ssl/s3_clnt.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/ssl/s3_clnt.c,v
|retrieving revision 1.18
|diff -u -p -r1.18 s3_clnt.c
|--- lib/libssl/src/ssl/s3_clnt.c 27 Jun 2006 05:07:03 -0000 1.18
|+++ lib/libssl/src/ssl/s3_clnt.c 9 Jan 2009 06:58:52 -0000
--------------------------
Patching file lib/libssl/src/ssl/s3_clnt.c using Plan A...
Hunk #1 succeeded at 833.
Hunk #2 succeeded at 1200.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/ssl/s3_srvr.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/ssl/s3_srvr.c,v
|retrieving revision 1.20
|diff -u -p -r1.20 s3_srvr.c
|--- lib/libssl/src/ssl/s3_srvr.c 27 Jun 2006 05:07:03 -0000 1.20
|+++ lib/libssl/src/ssl/s3_srvr.c 9 Jan 2009 06:58:52 -0000
--------------------------
Patching file lib/libssl/src/ssl/s3_srvr.c using Plan A...
Hunk #1 succeeded at 2009.
Hmm... The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libssl/src/ssl/ssltest.c
|===================================================================
|RCS file: /cvs/src/lib/libssl/src/ssl/ssltest.c,v
|retrieving revision 1.13
|diff -u -p -r1.13 ssltest.c
|--- lib/libssl/src/ssl/ssltest.c 27 Jun 2006 05:07:03 -0000 1.13
|+++ lib/libssl/src/ssl/ssltest.c 9 Jan 2009 06:58:52 -0000
--------------------------
Patching file lib/libssl/src/ssl/ssltest.c using Plan A...
Hunk #1 succeeded at 1984.
done

Igualmente para el pache contra Bind

hacemos un cat al patch

# cat 008_bind.patch
Apply by doing:
cd /usr/src
patch -p0 < 008_bind.patch

And then rebuild and install bind:
cd usr.sbin/bind
make -f Makefile.bsd-wrapper
make -f Makefile.bsd-wrapper install

Y lo instalamos

patch -p0 < 008_bind.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Apply by doing:
| cd /usr/src
| patch -p0 < 008_bind.patch
|
|And then rebuild and install bind:
| cd usr.sbin/bind
| make -f Makefile.bsd-wrapper
| make -f Makefile.bsd-wrapper install
|
|Index: usr.sbin/bind/lib/dns/openssldsa_link.c
|===================================================================
|RCS file: /cvs/src/usr.sbin/bind/lib/dns/openssldsa_link.c,v
|retrieving revision 1.1.1.3
|diff -u -r1.1.1.3 openssldsa_link.c
|--- usr.sbin/bind/lib/dns/openssldsa_link.c 9 Dec 2007 12:34:20 -0000 1.1.1.3
|+++ usr.sbin/bind/lib/dns/openssldsa_link.c 11 Jan 2009 02:22:57 -0000
--------------------------
Patching file usr.sbin/bind/lib/dns/openssldsa_link.c using Plan A...
Hunk #1 succeeded at 133.
done
#

Fuente:

Gracias a Fernando Quintero (a.k.a nonroot) quien elaboro una guia de como parchar un OpenBSD
Publicadas por a la/s
Etiquetas:

No hay comentarios.:

Publicar un comentario

Suscribirse a: Comentarios de la entrada (Atom)