Since Ubuntu 10.04 of SafeSync for Enterprise (SSFE) 2.1 has reached its end-of-life, OpenSSL-related Debian packages will no longer be officially maintained. You need to manually repack the packages in order to fix the OpenSSL vulnerability included in the latest version.
To repack the OpenSSL Debian package for Ubuntu 10.04:
- Install SafeSync for Enterprise 2.1 Service Pack 1 (Build 2.1.0.1496).
- Download the following OpenSSL source packages:
- Find the configuration option for ./configure while building OpenSSL manually.
- Run the following command:
tar zxvf openssl-1.0.1u.tar.gz
tar zxvf openssl_1.0.1-4ubuntu5.38.debian.tar.gz -C openssl-1.0.1u
cd openssl-1.0.1u - Find the option at line 38 in debian/rules:
vim debian/rules
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2 $(ARCH_CONFARGS)
- Retrieve the option value after changing the variable.
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2 enable-ec_nistp_64_gcc_128
- Refer to ./INSTALL file and add the Shared option to create shared libraries on platforms.
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2 enable-ec_nistp_64_gcc_128 shared
- Run the following command:
- Build OpenSSL using the commands below:
./config --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2 enable-ec_nistp_64_gcc_128a shared
make depend
make
make install - Verify the new settings.
- Check the version using the command "openssl version". The expected result should be:
OpenSSL 1.0.1u 22 Sep 2016
- Check the shared libraries using the command "ldd /usr/bin/openssl". The expected result should be:
linux-vdso.so.1 => (0x00007fff289f9000) libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f7264c61000) libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f7264885000) libdl.so.2 => /lib/libdl.so.2 (0x00007f7264677000) libz.so.1 => /lib/libz.so.1 (0x00007f7264460000) libc.so.6 => /lib/libc.so.6 (0x00007f72640dd000) /lib64/ld-linux-x86-64.so.2 (0x00007f7264ec8000)
- Check the version using the command "openssl version". The expected result should be:
- Install the dpkg-repack file.
cd /home/safesync
wget http://mirrors.kernel.org/ubuntu/pool/main/d/dpkg-repack/dpkg-repack_1.37_all.deb
dpkg -i dpkg-repack_1.37_all.deb - Repack the OpenSSL Debian package.
- Update the version of OpenSSL:
sed -i 's/Version: 1.0.1h-1/Version: 1.0.1u/' /var/lib/dpkg/status
- Modify the file list by appending "/usr/lib/ssl" and "/usr/lib/ssl/openssl.cnf".
sed -i '/\/usr\/lib\/libcrypto.so/a \/usr\/lib\/ssl\n\/usr\/lib\/ssl\/openssl.cnf' /var/lib/dpkg/info/openssl.list
The result should be similar to the following:
/usr/lib/libcrypto.so /usr/lib/ssl /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf
- Run the dpkg-repack file using the command "dpkg-repack openssl". The expected result should be:
dpkg-repack: Skipping obsolete conffile /etc/ssl/openssl.cnf dpkg-deb: building package `openssl' in `./openssl_1.0.1u_amd64.deb'
- Update the version of OpenSSL:
- Verify the repacked Debian package.
- Install the repacked Debian package on a newly installed SSFE 2.1 SP1.
dpkg -i openssl_1.0.1u_amd64.deb (Reading database ... 86633 files and directories currently installed.) Preparing to replace openssl 1.0.1h-1 (using openssl_1.0.1u_amd64.deb) ... Unpacking replacement openssl ... Setting up openssl (1.0.1u) ...
- Check the version of the OpenSSL Debian package.
dpkg -l | grep openssl
It should show "ii openssl 1.0.1u Package created with checkinstall 1.6.1."
- Install the repacked Debian package on a newly installed SSFE 2.1 SP1.
