当前位置：首页 > news >正文

织梦网站后台教程微信朋友圈推广方案

news 2026/4/8 21:25:59

织梦网站后台教程,微信朋友圈推广方案,机房网络组建方案,湖北网站建设贴吧Rocky Linux 9系统 OpenSSH CVE-2024-6387 漏洞修复 1、漏洞修复2、修复思路3、修复方案3.1、方案一3.2、方案二 4、总结5、参考 1、漏洞修复 CVE-2024-6387#xff1a;regreSSHion#xff1a;OpenSSH 服务器中的远程代码执行#xff08;RCE#xff09;#xff0c;至少在… Rocky Linux 9系统 OpenSSH CVE-2024-6387 漏洞修复 1、漏洞修复2、修复思路3、修复方案3.1、方案一3.2、方案二 4、总结5、参考 1、漏洞修复 CVE-2024-6387regreSSHionOpenSSH 服务器中的远程代码执行RCE至少在基于 glibc 的 Linux 系统上可被利用。根据 oss-security - CVE-2024-6387: RCE in OpenSSH’s server, on glibc-based Linux systems 的发现并由 oss-security - Announce: OpenSSH 9.8 released 上游总结在 Portable OpenSSH 版本 8.5p1 至 9.7p1含中sshd(8) 存在一个严重漏洞可能允许以 root 权限执行任意代码。在 32 位的 Linux/glibc 系统上成功利用该漏洞已被证明且需要启用地址空间布局随机化ASLR。在实验室条件下攻击平均需要 6-8 小时的持续连接直到服务器达到最大连接数为止。目前尚未证明在 64 位系统上可以利用该漏洞但认为这可能是可行的。这些攻击很有可能会得到进一步改进。公开披露日期 2024年7月1日影响范围 Rocky Linux 9 **修复版本**8.7p1-38.el9_4.security.0.5 2024 年 7 月 1 日可用。不受影响 Rocky Linux 8 2、修复思路安装 8.7p1-38.el9_4.security.0.5 即可。 3、修复方案方案一采用在线方式修复方案二采用离线方式修复。根据自身的网络环境采用对应的方式进行修复 3.1、方案一 # 查看当前版本 [rootlocalhost ~]# rpm -qa | grep openssh openssh-8.7p1-38.el9.x86_64 openssh-clients-8.7p1-38.el9.x86_64 openssh-server-8.7p1-38.el9.x86_64# 安装更新源 [rootlocalhost ~]# dnf install -y rocky-release-security Last metadata expiration check: 1:16:01 ago on Wed 03 Jul 2024 09:08:38 AM CST. Dependencies resolved. Package Architecture Version Repository SizeInstalling:rocky-release-security noarch 9-4.el9 extras 9.5 kTransaction SummaryInstall 1 PackageTotal download size: 9.5 k Installed size: 3.2 k Downloading Packages: rocky-release-security-9-4.el9.noarch.rpm 38 kB/s | 9.5 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 38 kB/s | 9.5 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transactionPreparing : 1/1 Installing : rocky-release-security-9-4.el9.noarch 1/1 Running scriptlet: rocky-release-security-9-4.el9.noarch 1/1 Verifying : rocky-release-security-9-4.el9.noarch 1/1 Installed:rocky-release-security-9-4.el9.noarch Complete!# 禁用 SIG/Security security-common repo [rootlocalhost ~]# dnf config-manager --disable security-common# 升级 openssh [rootlocalhost ~]# dnf --enablereposecurity-common -y update openssh\* Rocky Linux 9 - SIG Security Common 35 kB/s | 117 kB 00:03 Last metadata expiration check: 0:00:01 ago on Wed 03 Jul 2024 10:25:04 AM CST. Dependencies resolved. Package Architecture Version Repository SizeUpgrading:openssh x86_64 8.7p1-38.el9_4.security.0.5 security-common 453 kopenssh-clients x86_64 8.7p1-38.el9_4.security.0.5 security-common 693 kopenssh-server x86_64 8.7p1-38.el9_4.security.0.5 security-common 435 kTransaction SummaryUpgrade 3 PackagesTotal download size: 1.5 M Downloading Packages: (1/3): openssh-server-8.7p1-38.el9_4.security.0.5.x86_64.rpm 122 kB/s | 435 kB 00:03 (2/3): openssh-8.7p1-38.el9_4.security.0.5.x86_64.rpm 125 kB/s | 453 kB 00:03 (3/3): openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64.rpm 171 kB/s | 693 kB 00:04 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 331 kB/s | 1.5 MB 00:04 Rocky Linux 9 - SIG Security Common 1.6 MB/s | 1.7 kB 00:00 Importing GPG key 0x0FE8D526:Userid : Rocky Linux 9 SIGs - Security relengrockylinux.orgFingerprint: 23DC 35EB E743 BAB0 CED2 1D20 8D79 B737 0FE8 D526From : /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-SIG-Security Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transactionPreparing : 1/1 Running scriptlet: openssh-8.7p1-38.el9_4.security.0.5.x86_64 1/6 Upgrading : openssh-8.7p1-38.el9_4.security.0.5.x86_64 1/6 Running scriptlet: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 2/6 Upgrading : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 2/6 Running scriptlet: openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 2/6 Upgrading : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 3/6 Running scriptlet: openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 3/6 Running scriptlet: openssh-clients-8.7p1-38.el9.x86_64 4/6 Cleanup : openssh-clients-8.7p1-38.el9.x86_64 4/6 Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 5/6 Cleanup : openssh-server-8.7p1-38.el9.x86_64 5/6 Running scriptlet: openssh-server-8.7p1-38.el9.x86_64 5/6 Cleanup : openssh-8.7p1-38.el9.x86_64 6/6 Running scriptlet: openssh-8.7p1-38.el9.x86_64 6/6 Verifying : openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 1/6 Verifying : openssh-server-8.7p1-38.el9.x86_64 2/6 Verifying : openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 3/6 Verifying : openssh-clients-8.7p1-38.el9.x86_64 4/6 Verifying : openssh-8.7p1-38.el9_4.security.0.5.x86_64 5/6 Verifying : openssh-8.7p1-38.el9.x86_64 6/6 Upgraded:openssh-8.7p1-38.el9_4.security.0.5.x86_64 openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64 openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 Complete!# 确保 openssh-8.7p1-38.el9_4.security.0.5 已安装 [rootlocalhost ~]# rpm -q openssh openssh-8.7p1-38.el9_4.security.0.5.x86_64[rootlocalhost ~]# rpm -qa | grep openssh openssh-8.7p1-38.el9_4.security.0.5.x86_64 openssh-server-8.7p1-38.el9_4.security.0.5.x86_64 openssh-clients-8.7p1-38.el9_4.security.0.5.x86_64# 因为安装过程中会自动重启 sshd 服务所以安装完后无需再手动重启服务 [rootlocalhost ~]# systemctl status sshd ● sshd.service - OpenSSH server daemonLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)Active: active (running) since Wed 2024-07-03 10:18:42 CST; 34s ago # 重启时间Docs: man:sshd(8)man:sshd_config(5)Main PID: 64456 (sshd)Tasks: 1 (limit: 48933)Memory: 1.1MCPU: 14msCGroup: /system.slice/sshd.service└─64456 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startupsJul 03 10:18:42 localhost systemd[1]: Starting OpenSSH server daemon... Jul 03 10:18:42 localhost sshd[64456]: Server listening on 0.0.0.0 port 22. Jul 03 10:18:42 localhost systemd[1]: Started OpenSSH server daemon.3.2、方案二下载需要升级的安装包编制安装脚本。 #!/bin/bash set -e echo -e 温馨提醒 echo -e 1.本次安装升级OpenSSh9.8将同时升级OpenSSL版本至3.2.0务必确保应用及产品兼容性。 echo -e 2.建议提供其他能够链接至服务器的工具如Telnet防止升级失败导致服务器无法登录。 echo -e 3.默认配置文件为/etc/ssh/sshd_config若为自定义路径请修改脚本中SSH_CONFIG路径 echo -e function OpenSSH_update() {yum localinstall -y openssh-*#cp -a /etc/ssh/ssh_host_* /tmp#rm -rf /etc/ssh/ssh_host_*#默认配置文件SSH_CONFIG/etc/ssh/sshd_configCOUNTERS0while [ ! -f ${SSH_CONFIG} ] [ ${COUNTERS} -lt 3 ]; doecho -e 默认配置文件${SSH_CONFIG}不存在请确认sshd_config配置文件位置。read -p 请输入sshd_config文件路径(例/etc/ssh/sshd_config) : SSH_CONFIGCOUNTERS$((COUNTERS1))doneif [ ${COUNTERS} -eq 3 ]; thenecho 已经达到最大重试次数升级脚本自动退出请确认配置文件路径后在次运行脚本。exit 1fiecho -e 默认配置文件为${SSH_CONFIG}#备份配置文件到/tmpcp -a ${SSH_CONFIG} /tmp#表示指定将接受用于基于主机的身份验证的密钥类型。if ! grep -q ^PubkeyAcceptedAlgorithms ${SSH_CONFIG}; thensed -i $a\PubkeyAcceptedAlgorithms ssh-rsa ${SSH_CONFIG}fi# 表示指定公钥认证允许的密钥类型。if ! grep -q ^PubkeyAcceptedKeyTypes ${SSH_CONFIG}; thensed -i $a\PubkeyAcceptedKeyTypes ssh-rsa ${SSH_CONFIG}fi# 表示指定服务器提供的主机密钥算法。if ! grep -q ^HostKeyAlgorithms ${SSH_CONFIG}; thensed -i $a\HostKeyAlgorithms ssh-rsa ${SSH_CONFIG}fi#PubkeyAcceptedKeyTypes ssh-rsa #HostKeyAlgorithms ssh-rsaecho -e 重启sshd服务......systemctl restart sshdif [ -n $(systemctl status sshd | grep active (running)) ]; then echo OpenSSH 升级成功exit 0else echo 重启sshd服务异常请手动检查错误信息systemctl status sshd -lexit 1fi}function main() {while truedoread -p 请确认是否继续升级操作(Y/N) yncase ${yn} in[Yy] ) echo 开始升级......; OpenSSH_update;;[Nn] ) echo 退出; exit 0; break;; * ) echo 请输入Yy/Nn;;esacdone }main 将安装包和脚本上传至服务器运行脚本。 4、总结互联网接入环境中推荐方案一离线情况下使用方案二操作。 5、参考 Rocky Linux 9 RedHat 系 OpenSSH CVE-2024-6387 漏洞快速修复

查看全文

http://www.w-s-a.com/news/303718/