项目初衷
因为Openssl1.0.2版本,官方已不再维护开源版本。Openssl-1.0.2u为最新的1.0.2正式发布的开源版本。 但是,Openssl-1.0.2u后续又爆出了一些漏洞,官方又不再维护,如何解决这些漏洞呢?
1. 大版本升级,升级到1.1.1系列,或者3.x.x版本。
2. 将漏洞修复代码合入到1.0.2u,继续使用1.0.2u。
考虑到项目中使用openssl大版本升级影响较大,项目中依赖openssl的原有模块都需要修改并重新编译。所以,本文重点介绍第二种解决方案。
Openssl-1.0.2u受影响漏洞汇总
数据来源: https://www.openssl.org/news/vulnerabilities.html 作者github 项目地址: https://github.com/fdl66/openssl-1.0.2u-fix-cve
--------2022--------
CVE-2022-0778 (OpenSSL advisory) [High severity] 15 March 2022:
Fixed in OpenSSL 1.0.2zd (git commit) (Affected 1.0.2-1.0.2zc)
本仓库已修复: https://github.com/fdl66/openssl-1.0.2u-fix-cve/pull/7
CVE-2021-4160 (OpenSSL advisory) [Moderate severity] 28 January 2022:
Fixed in OpenSSL 1.0.2zc-dev (git commit) (Affected 1.0.2-1.0.2zb)
当前未修复原因: 代码存在差异,避免非必要异常(而且漏洞仅影响MIPS平台,正常的x86架构不受影响)
--------2021--------
CVE-2021-3712 (OpenSSL advisory) [Moderate severity] 24 August 2021:
Fixed in OpenSSL 1.0.2za (git commit) (Affected 1.0.2-1.0.2y)
本仓库已修复: https://github.com/fdl66/openssl-1.0.2u-fix-cve/pull/6
CVE-2021-23841 (OpenSSL advisory) [Moderate severity] 16 February 2021:
Fixed in OpenSSL 1.0.2y (git commit) (Affected 1.0.2-1.0.2x)
本仓库已修复: https://github.com/fdl66/openssl-1.0.2u-fix-cve/pull/5
CVE-2021-23840 (OpenSSL advisory) [Low severity] 16 February 2021:
Fixed in OpenSSL 1.0.2y (git commit) (Affected 1.0.2-1.0.2x)
本仓库已修复: https://github.com/fdl66/openssl-1.0.2u-fix-cve/pull/4
CVE-2021-23839 (OpenSSL advisory) [Low severity] 16 February 2021:
Fixed in OpenSSL 1.0.2y (git commit) (Affected 1.0.2s-1.0.2x)
本仓库已修复: https://github.com/fdl66/openssl-1.0.2u-fix-cve/pull/3
--------2020--------
CVE-2020-1971 (OpenSSL advisory) [High severity] 08 December 2020:
Fixed in OpenSSL 1.0.2x (git commit) (Affected 1.0.2-1.0.2w)
本仓库已修复: https://github.com/fdl66/openssl-1.0.2u-fix-cve/pull/2
CVE-2020-1968 (OpenSSL advisory) [Low severity] 09 September 2020:
Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)
当前未修复原因: 官方无漏洞修复代码,且为低危漏洞
解决方案介绍
https://github.com/fdl66/openssl-1.0.2u-fix-cve
- 合入openssl官方的漏洞修复代码。
- 部分漏洞没有对应版本的官方修复代码,参考1.1.1的漏洞修复代码(两个版本的对应代码是一致的,可以直接使用)。
|