Bump to 0.9.8za (CVE-2014-0224 and friends)

[todb-r7]

Some of Meterpreter's build scripts dynamically pull in OpenSSL from the canonical remote site, https://openssl.org. Some do not (notably, Windows).

This ensures that we pull in 0.9.8za, which is patched against the various OpenSSL vulns described at

https://www.openssl.org/news/secadv_20140605.txt

The SHA1sum should be:

adca1eb1a103a5536b24e1ed7e45051e2939731 openssl-0.9.8za.tar.gz

The MD5sum should be:

2f989915f8fea49aa1bc37aa58500cce openssl-0.9.8za.tar.gz

Verification

• See the various automated builds pass

Binary Verification

Once you have some binaries in hand, you should verify:

• Check the results to see that no vulnerable versions of 0.9.8 are compiled or linked. This would include anything below 0.9.8za
• Validated continued working functionality of Meterpreter over SSL-encrypted channels.
• TODO: Test patch effectiveness with an appropriate Metasploit module that exercises the vulnerability (when available)

Landing

When this is landed, the gem should be updated at rapid7/meterpreter_bins. Another PR will be opened for that.

Redmine issue 8808 is tracking this, as well. See: https://dev.metasploit.com/redmine/issues/8808

Since we do not currently use the Meterpreter gem (coming soon though!), the generated binaries need to be copied over to the rapid7/metasploit-framework repo. Another PR will be opened there once binaries are generated for Posix and Windows.

[todb-r7]

Note that I haven't built this yet, I put in the PR to kick off the automated build. Please do not trust this yet.

[metasploit-public-bot]

Test PASSED.
Refer to this link for build results: https://ci.metasploit.com/job/GPR-MeterpreterWin/108/

[todb-r7]

Reinstalling a build environment so I can compile these:

└── lib
    ├── bsd
    ├── linux
    └── win
        ├── libeay32.lib
        ├── ssleay32.lib
        └── x64
            ├── build.txt
            ├── libeay32.lib
            └── ssleay32.lib

It's taking a little more time than I was expecting.

Protip: don't store your build environment VM on an external drive that's not okay with file sizes > 4 gigs. You will no longer be able to snapshot/restore. :/

[metasploit-public-bot]

Test PASSED.
Refer to this link for build results: https://ci.metasploit.com/job/GPR-MeterpreterWin/109/

[todb-r7]

Added a Redmine bug for this.

https://dev.metasploit.com/redmine/issues/8808

When landing this PR, please reference this bug with SeeRM #8808 or FixRM #8808

[todb-r7]

Added a Landing section for this PR's description.

[metasploit-public-bot]

Test PASSED.
Refer to this link for build results: https://ci.metasploit.com/job/GPR-MeterpreterWin/110/

[jlee-r7]

Why does this include OpenSSL headers? Shouldn't those be in the downloaded package?

[todb-r7]

The Posix build downloads them, but the Windows build does not.

[todb-r7]

I've kicked off an internal build to pick up the binaries for testing.

[OJ]

For what it's worth, I've given this a spin and it's fine for me too (sorry for the delay).