linux下源码编译制作openssh-9.8p1-rpm包，以修复CVE-2024-6387漏洞_openssh 9.8 rpm

漏洞详情见上图和相关连接 https://nvd.nist.gov/vuln/detail/CVE-2024-6387

本文在CentOS（x86） 和 麒麟sp3（arm）系统上均验证成功

准备工作

下载源码包和依赖，相关连接如下
openssh-9.8p1.tar.gz
x11-ssh-askpass-1.2.4.1.tar.gz

一、安装所需依赖包

#配置RPM构建环境
yum install rpmdevtools    
1
2

二、RPM制作

rpmdev-setuptree   
tar -xzvf  openssh-9.8p1.tar.gz
cp openssh-9.8p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-9.8p1.tar.gz /root/rpmbuild/SOURCES/
cp x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES/

[root@localhost ~]# tree rpmbuild/
rpmbuild/
├── BUILD
├── RPMS
├── SOURCES
│   ├── openssh-9.8p1.tar.gz
│   └── x11-ssh-askpass-1.2.4.1.tar.gz
├── SPECS
│   └── openssh.spec
└── SRPMS

# 编译并生成rpm
cd ~/rpmbuild/SPECS
rpmbuild -ba openssh.spec

# 编译完成后的rpm包生成在rpmbuild/RPMS目录中
[root@localhost rpmbuild]# ls RPMS/x86_64/
openssh-9.8p1-1.el7.x86_64.rpm
openssh-askpass-9.8p1-1.el7.x86_64.rpm
openssh-askpass-gnome-9.8p1-1.el7.x86_64.rpm
openssh-clients-9.8p1-1.el7.x86_64.rpm
openssh-debuginfo-9.8p1-1.el7.x86_64.rpm
openssh-server-9.8p1-1.el7.x86_64.rpm


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

三、备份ssh配置

mkdir -p /backup/ssh_backup/pam.d
cp /etc/pam.d/sshd /backup/ssh_backup/pam.d/
cp -r /etc/ssh /backup/ssh_backup/
1
2
3

四、安装openssh，注意离线安装可能缺少依赖，需要手动解决

#在线环境
yum localinstall open*.rpm

#离线环境
rpm -ivh --force --nodeps open*.rpm
1
2
3
4
5

报错1 /usr/include/X11/Shell.h:51:26: 致命错误：X11/SM/SMlib.h：没有那个文件或目录

# 缺少依赖，去yum地址找包或者yum install 解决
yum install libSM-devel
1
2

报错2 /usr/include/X11/Shell.h:51:26: 致命错误：X11/ICE/ICElib.h：没有那个文件或目录

# 缺少依赖，去yum地址找包或者yum install 解决
yum install libICE-devel
1
2

五、还原配置文件

cp /backup/ssh_backup/pam.d/sshd /etc/pam.d/
chmod 400 /etc/ssh/ssh_host_*

1
2
3

六、查看升级状态

ssh -V
OpenSSH_9.8p1, without OpenSSL
1
2