Apache の脆弱性 (CVE-2011-3192) に関しての、Apacheのアップデート

| | トラックバック(0)

巷で話題の、Apache Killer対策のため、Apacheのアップデートを試みました。

クララオンラインの方をアップデートしようとしたのですが、その前に、実験的に使えるねっとの方を先にアップデートしました。そのときの流れです。

クララオンラインの方で、アップデートの手順があったので、それに習うことにしました。

参考→http://support.clara.jp/news/110901_apache_update.htm

まず、使えるねっとでは、yumが入っていないので、それを先にインストール。
色々大変です。

CentOSのバージョンを確認。


[root@macplan ~]# cat /etc/redhat-release
CentOS release 5 (Final)

5.0でした...w

[root@macplan ~]# /etc/rc.d/init.d/httpd configtest Syntax OK
http.confに誤りがないかどうかを確認。問題なし。
[root@macplan ~]# cp -a /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup_apache [root@macplan ~]# cp -a /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backup_apache
confファイルをバックアップ


念のため、yumがあるかどうかを再確認。


[root@macplan ~]# yum --version
-bash: yum: command not found

やっぱりないです...w


では、yumをインストール。rpmを探して...wget。


[root@macplan ~]# wget http://ftp-srv2.kddilabs.jp/Linux/packages/CentOS/5/os/i386/CentOS/yum-3.2.22-33.el5.centos.noarch.rpm
--22:37:32-- http://ftp-srv2.kddilabs.jp/Linux/packages/CentOS/5/os/i386/CentOS/yum-3.2.22-33.el5.centos.noarch.rpm
Resolving ftp-srv2.kddilabs.jp... 202.255.47.226
Connecting to ftp-srv2.kddilabs.jp|202.255.47.226|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1030519 (1006K) [application/octet-stream]
Saving to: `yum-3.2.22-33.el5.centos.noarch.rpm'

100%[=================================================>] 1,030,519 --.-K/s in 0.1s

22:37:32 (8.23 MB/s) - `yum-3.2.22-33.el5.centos.noarch.rpm' saved [1030519/1030519]


早速インストールしようとすると...


[root@macplan ~]# rpm -ivh yum-3.2.22-33.el5.centos.noarch.rpm
warning: yum-3.2.22-33.el5.centos.noarch.rpm: Header V3 DSA signature: NOKEY, key ID e8562897
error: Failed dependencies:
python-elementtree is needed by yum-3.2.22-33.el5.centos.noarch
python-iniparse is needed by yum-3.2.22-33.el5.centos.noarch
python-sqlite is needed by yum-3.2.22-33.el5.centos.noarch
urlgrabber >= 3.1.0 is needed by yum-3.2.22-33.el5.centos.noarch
yum-fastestmirror is needed by yum-3.2.22-33.el5.centos.noarch
yum-metadata-parser >= 1.1.0 is needed by yum-3.2.22-33.el5.centos.noarch

色々足りねー!と怒られます。

python-elementtree-1.2.6-5.i386.rpm
python-iniparse-0.2.3-4.el5.noarch.rpm
python-sqlite-1.1.7-1.2.1.i386.rpm
python-urlgrabber-3.1.0-6.el5.noarch.rpm
yum-fastestmirror-1.1.16-14.el5.centos.1.noarch.rpm
yum-metadata-parser-1.1.2-3.el5.centos.i386.rpm
をさくさくとダウンロード。
途中、python-urlgrabberには、
m2crypto-0.16-6.el5.8.i386.rpm
も必要と言われるので、それもダウンロード。

で、揃ったRPMを-ivhでインストール。

んでもって、yumのバージョンを確認しようとすると...


[root@macplan ~]# yum --version
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

/usr/lib/python2.4/site-packages/cElementTree.so: wrong ELF class: ELFCLASS32

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.4.3 (#1, Mar 14 2007, 19:01:42)
[GCC 4.1.1 20070105 (Red Hat 4.1.1-52)]

If you cannot solve this problem yourself, please go to
the yum faq at:
http://wiki.linux.duke.edu/YumFaq

あるぇ~~~?

"/usr/lib/python2.4/site-packages/cElementTree.so: wrong ELF class: ELFCLASS32"

でggってみると...あらら、64bitのサーバーにi386のRPMをインストールしてしまったんですわ...(汗

rpm -eで間違ったものをアンインストールして、再度、

[root@macplan ~]# wget http://ftp-srv2.kddilabs.jp/Linux/packages/CentOS/5/os/x86_64/CentOS/python-elementtree-1.2.6-5.x86_64.rpm (以下略)

んでもって、まとめてrpm -ivh

[root@macplan ~]# rpm -ivh python-elementtree-1.2.6-5.x86_64.rpm python-iniparse-0.2.3-4.el5.noarch.rpm m2crypto-0.16-6.el5.8.x86_64.rpm python-sqlite-1.1.7-1.2.1.x86_64.rpm python-urlgrabber-3.1.0-6.el5.noarch.rpm yum-3.2.22-33.el5.centos.noarch.rpm yum-fastestmirror-1.1.16-14.el5.centos.1.noarch.rpm yum-metadata-parser-1.1.2-3.el5.centos.x86_64.rpm warning: python-elementtree-1.2.6-5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897 Preparing... ########################################### [100%] 1:yum-metadata-parser ########################################### [ 13%] 2:python-sqlite ########################################### [ 25%] 3:m2crypto ########################################### [ 38%] 4:python-elementtree ########################################### [ 50%] 5:python-urlgrabber ########################################### [ 63%] 6:python-iniparse ########################################### [ 75%] 7:yum-fastestmirror ########################################### [ 88%] 8:yum ########################################### [100%]

バージョン確認。


[root@macplan ~]# yum --version
3.2.22
Installed: rpm-4.4.2-47.el5.x86_64 at 2008-02-21 07:21
Built : [] at 2007-11-11 01:03
Committed: Panu Matilainen at 2007-08-24 22:00

Installed: yum-3.2.22-33.el5.centos.noarch at 2011-09-06 14:17
Built : [] at 2011-01-31 23:12
Committed: Karanbir Singh at 2011-01-31 22:00

Installed: yum-metadata-parser-1.1.2-3.el5.centos.x86_64 at 2011-09-06 14:17
Built : [] at 2009-08-27 16:19
Committed: James Antill at 2009-04-06 22:00

ようやくyumのインストールが完了(汗

早速、Apacheのアップデートを...

[root@macplan ~]# yum update httpd Loaded plugins: fastestmirror Determining fastest mirrors * addons: www.ftp.ne.jp * base: www.ftp.ne.jp * extras: www.ftp.ne.jp * updates: www.ftp.ne.jp addons | 951 B 00:00 addons/primary | 204 B 00:00 base | 2.1 kB 00:00 base/primary_db | 2.2 MB 00:00 extras | 2.1 kB 00:00 extras/primary_db | 260 kB 00:00 updates | 1.9 kB 00:00 updates/primary_db | 725 kB 00:00 Setting up Update Process Resolving Dependencies --> Running transaction check --> Processing Dependency: httpd = 2.2.3-11.el5_1.centos.3 for package: mod_ssl --> Processing Dependency: httpd = 2.2.3-11.el5_1.centos.3 for package: httpd-devel --> Processing Dependency: httpd = 2.2.3-11.el5_1.centos.3 for package: httpd-devel ---> Package httpd.x86_64 0:2.2.3-45.el5.centos.1 set to be updated --> Running transaction check ---> Package httpd-devel.i386 0:2.2.3-45.el5.centos.1 set to be updated ---> Package httpd-devel.x86_64 0:2.2.3-45.el5.centos.1 set to be updated ---> Package mod_ssl.x86_64 1:2.2.3-45.el5.centos.1 set to be updated --> Processing Dependency: openssl >= 0.9.8e-12.el5_4.4 for package: mod_ssl --> Running transaction check --> Processing Dependency: openssl = 0.9.8b-8.3.el5_0.2 for package: openssl-devel --> Processing Dependency: openssl = 0.9.8b-8.3.el5_0.2 for package: openssl-devel --> Processing Dependency: openssl = 0.9.8b-8.3.el5_0.2 for package: openssl-perl ---> Package openssl.i686 0:0.9.8e-12.el5_5.7 set to be updated ---> Package openssl.x86_64 0:0.9.8e-12.el5_5.7 set to be updated --> Running transaction check ---> Package openssl-devel.i386 0:0.9.8e-12.el5_5.7 set to be updated ---> Package openssl-devel.x86_64 0:0.9.8e-12.el5_5.7 set to be updated ---> Package openssl-perl.x86_64 0:0.9.8e-12.el5_5.7 set to be updated --> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================
Package Arch Version Repository Size
==========================================================================================
Updating:
httpd x86_64 2.2.3-45.el5.centos.1 updates 1.2 M
Updating for dependencies:
httpd-devel i386 2.2.3-45.el5.centos.1 updates 149 k
httpd-devel x86_64 2.2.3-45.el5.centos.1 updates 149 k
mod_ssl x86_64 1:2.2.3-45.el5.centos.1 updates 93 k
openssl i686 0.9.8e-12.el5_5.7 base 1.4 M
openssl x86_64 0.9.8e-12.el5_5.7 base 1.4 M
openssl-devel i386 0.9.8e-12.el5_5.7 base 1.9 M
openssl-devel x86_64 0.9.8e-12.el5_5.7 base 1.9 M
openssl-perl x86_64 0.9.8e-12.el5_5.7 base 35 k

Transaction Summary
==========================================================================================
Install 0 Package(s)
Upgrade 9 Package(s)

Total download size: 8.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/9): openssl-perl-0.9.8e-12.el5_5.7.x86_64.rpm | 35 kB 00:00
(2/9): mod_ssl-2.2.3-45.el5.centos.1.x86_64.rpm | 93 kB 00:00
(3/9): httpd-devel-2.2.3-45.el5.centos.1.x86_64.rpm | 149 kB 00:00
(4/9): httpd-devel-2.2.3-45.el5.centos.1.i386.rpm | 149 kB 00:00
(5/9): httpd-2.2.3-45.el5.centos.1.x86_64.rpm | 1.2 MB 00:00
(6/9): openssl-0.9.8e-12.el5_5.7.i686.rpm | 1.4 MB 00:00
(7/9): openssl-0.9.8e-12.el5_5.7.x86_64.rpm | 1.4 MB 00:00
(8/9): openssl-devel-0.9.8e-12.el5_5.7.x86_64.rpm | 1.9 MB 00:00
(9/9): openssl-devel-0.9.8e-12.el5_5.7.i386.rpm | 1.9 MB 00:00
------------------------------------------------------------------------------------------
Total 4.8 MB/s | 8.2 MB 00:01
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID e8562897
updates/gpgkey | 1.5 kB 00:00
Importing GPG key 0xE8562897 "CentOS-5 Key (CentOS 5 Official Signing Key) " from http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
Is this ok [y/N]: y
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : openssl 1/18
Updating : httpd 2/18
Updating : openssl 3/18
warning: /etc/pki/tls/certs/ca-bundle.crt created as /etc/pki/tls/certs/ca-bundle.crt.rpmnew
warning: /etc/pki/tls/openssl.cnf created as /etc/pki/tls/openssl.cnf.rpmnew
Updating : mod_ssl 4/18
Updating : openssl-devel 5/18
Updating : openssl-perl 6/18
Updating : httpd-devel 7/18
Updating : httpd-devel 8/18
Updating : openssl-devel 9/18
Cleanup : mod_ssl 10/18
Cleanup : openssl-devel 11/18
Cleanup : openssl-devel 12/18
Cleanup : openssl-perl 13/18
Cleanup : httpd-devel 14/18
Cleanup : httpd-devel 15/18
Cleanup : httpd 16/18
Cleanup : openssl 17/18
Cleanup : openssl 18/18

Updated:
httpd.x86_64 0:2.2.3-45.el5.centos.1

Dependency Updated:
httpd-devel.i386 0:2.2.3-45.el5.centos.1 httpd-devel.x86_64 0:2.2.3-45.el5.centos.1
mod_ssl.x86_64 1:2.2.3-45.el5.centos.1 openssl.i686 0:0.9.8e-12.el5_5.7
openssl.x86_64 0:0.9.8e-12.el5_5.7 openssl-devel.i386 0:0.9.8e-12.el5_5.7
openssl-devel.x86_64 0:0.9.8e-12.el5_5.7 openssl-perl.x86_64 0:0.9.8e-12.el5_5.7

Complete!


よし、完了!

で、アップデートの結果を確認...と。


[root@macplan ~]# rpm -qi httpd
Name : httpd Relocations: (not relocatable)
Version : 2.2.3 Vendor: CentOS
Release : 45.el5.centos.1 Build Date: Wed May 4 19:54:52 2011
Install Date: Tue Sep 6 23:28:18 2011 Build Host: builder10.centos.org
Group : System Environment/Daemons Source RPM: httpd-2.2.3-45.el5.centos.1.src.rpm
Size : 3461512 License: Apache Software License
Signature : DSA/SHA1, Wed May 4 21:31:28 2011, Key ID a8a447dce8562897
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

クララオンラインの説明によると、httpd-2.2.3-53.el5.centos 以降になっていればOKとなってるけど...あれ?
「45.el5.centos.1」
にしかなってません...???

で、悩み、悩み、色々調べておりましたら、
こちらのブログに辿り着きました。
CentOS用 Apache Killer対策版 httpd について。

CnetOS5系の場合のみ、らしいです。前述の通り、64bitサーバーなので、以下の通りに、リポジトリを追加しなければならないようです。恐る恐る...ポチッと。


[root@macplan ~]# rpm -ivh http://mirror.centos.org/centos/5.6/cr/x86_64/RPMS/centos-release-cr-5-6.el5.centos.1.x
86_64.rpm
Retrieving http://mirror.centos.org/centos/5.6/cr/x86_64/RPMS/centos-release-cr-5-6.el5.centos.1.x86_64.rpm
Preparing... ########################################### [100%]
1:centos-release-cr ########################################### [100%]

うまくいったようです。

では、Apacheのアップデートを...。


[root@macplan ~]# yum update httpd
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* addons: www.ftp.ne.jp
* base: www.ftp.ne.jp
* extras: www.ftp.ne.jp
* updates: www.ftp.ne.jp
addons | 951 B 00:00
base | 2.1 kB 00:00
cr | 1.9 kB 00:00
cr/primary_db | 411 kB 00:01
extras | 2.1 kB 00:00
updates | 1.9 kB 00:00
Setting up Update Process
Resolving Dependencies
--> Running transaction check
--> Processing Dependency: httpd = 2.2.3-45.el5.centos.1 for package: httpd-devel
--> Processing Dependency: httpd = 2.2.3-45.el5.centos.1 for package: mod_ssl
--> Processing Dependency: httpd = 2.2.3-45.el5.centos.1 for package: httpd-devel
---> Package httpd.x86_64 0:2.2.3-53.el5.centos.1 set to be updated
--> Running transaction check
---> Package httpd-devel.i386 0:2.2.3-53.el5.centos.1 set to be updated
---> Package httpd-devel.x86_64 0:2.2.3-53.el5.centos.1 set to be updated
---> Package mod_ssl.x86_64 1:2.2.3-53.el5.centos.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==================================================================================================================
Package Arch Version Repository Size
==================================================================================================================
Updating:
httpd x86_64 2.2.3-53.el5.centos.1 cr 1.2 M
Updating for dependencies:
httpd-devel i386 2.2.3-53.el5.centos.1 cr 151 k
httpd-devel x86_64 2.2.3-53.el5.centos.1 cr 151 k
mod_ssl x86_64 1:2.2.3-53.el5.centos.1 cr 94 k

Transaction Summary
==================================================================================================================
Install 0 Package(s)
Upgrade 4 Package(s)

Total download size: 1.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): mod_ssl-2.2.3-53.el5.centos.1.x86_64.rpm | 94 kB 00:00
(2/4): httpd-devel-2.2.3-53.el5.centos.1.x86_64.rpm | 151 kB 00:00
(3/4): httpd-devel-2.2.3-53.el5.centos.1.i386.rpm | 151 kB 00:00
(4/4): httpd-2.2.3-53.el5.centos.1.x86_64.rpm | 1.2 MB 00:02
------------------------------------------------------------------------------------------------------------------
Total 243 kB/s | 1.6 MB 00:06
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : httpd 1/8
Updating : httpd-devel 2/8
Updating : httpd-devel 3/8
Updating : mod_ssl 4/8
Cleanup : httpd-devel 5/8
Cleanup : httpd-devel 6/8
Cleanup : httpd 7/8
Cleanup : mod_ssl 8/8

Updated:
httpd.x86_64 0:2.2.3-53.el5.centos.1

Dependency Updated:
httpd-devel.i386 0:2.2.3-53.el5.centos.1 httpd-devel.x86_64 0:2.2.3-53.el5.centos.1
mod_ssl.x86_64 1:2.2.3-53.el5.centos.1

Complete!
[root@macplan ~]# rpm -qi httpd
Name : httpd Relocations: (not relocatable)
Version : 2.2.3 Vendor: CentOS
Release : 53.el5.centos.1 Build Date: Thu Sep 1 09:23:54 2011
Install Date: Wed Sep 7 01:14:58 2011 Build Host: builder10.centos.org
Group : System Environment/Daemons Source RPM: httpd-2.2.3-53.el5.centos.1.src.rpm
Size : 3488232 License: Apache Software License
Signature : DSA/SHA1, Thu Sep 1 19:46:21 2011, Key ID a8a447dce8562897
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

うまくいきました!Pleskの方でも、このバージョンを正しく認識しているのを確認できました。

...あぁ~、しんど...。

トラックバック(0)

このブログ記事を参照しているブログ一覧: Apache の脆弱性 (CVE-2011-3192) に関しての、Apacheのアップデート

このブログ記事に対するトラックバックURL: http://blog.macplan.com/setcontents/mt-tb.cgi/44