CVE-2014-0160 OpenSSL Heartbleed
CVE-2014-0160 OpenSSL Heartbleed
A bug of OpenSSL is discovered and becomes noisy now.
http://heartbleed.com/
http://techcrunch.com/2014/04/07/massiv ... -internet/
http://www.openssl.org/news/secadv_20140407.txt
As for the contents, "main memory is released".
I consider that this has a great effect on Puppy using Frugal.
Frugal saves a file in main memory structurally.
In other words this problem might let the contents of the file make outside release.
It is necessary to make the latest edition of OpenSSL a package.
http://heartbleed.com/
http://techcrunch.com/2014/04/07/massiv ... -internet/
http://www.openssl.org/news/secadv_20140407.txt
As for the contents, "main memory is released".
I consider that this has a great effect on Puppy using Frugal.
Frugal saves a file in main memory structurally.
In other words this problem might let the contents of the file make outside release.
It is necessary to make the latest edition of OpenSSL a package.
Last edited by balloon on Thu 10 Apr 2014, 13:28, edited 4 times in total.
[b]BALLOON a.k.a. Fu-sen.[/b] from Japan | ãµã†ã›ã‚“ Fu-sen. (old: 2 8 6)
Details: CVE-2014-0160 OpenSSL Heartbleed
Target OpenSSL is 1.0.1 - 1.0.1f. Before 1.0.0 version is inapplicable.
Target Puppy version (latest only):
(The .pet package which I showed here was updated.
Please be careful about these later sentences)
Target Puppy version (latest only):
- Precise 5.7.1 (OpenSSL 1.0.1)
- Slacko 5.7 (OpenSSL 1.0.1f)
(The .pet package which I showed here was updated.
Please be careful about these later sentences)
Last edited by balloon on Thu 10 Apr 2014, 01:54, edited 1 time in total.
[b]BALLOON a.k.a. Fu-sen.[/b] from Japan | ãµã†ã›ã‚“ Fu-sen. (old: 2 8 6)
In Slacko 5.7
The "Updates Manager" will have the openSSL 1.0.1g files for download and install.
The "Updates Manager" will have the openSSL 1.0.1g files for download and install.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
- ThoriumBlvd
- Posts: 159
- Joined: Fri 04 Oct 2013, 09:04
- Location: N.E. USA
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
About pet package showing,
A problem may occur by application to treat SSL under the influence by the place for library.
Please be in particular careful about devx-related application movement.
When you discovered some problem, please announce it here.
There is no update plan of the package at a stage contributing this.
A problem may occur by application to treat SSL under the influence by the place for library.
Please be in particular careful about devx-related application movement.
When you discovered some problem, please announce it here.
There is no update plan of the package at a stage contributing this.
[b]BALLOON a.k.a. Fu-sen.[/b] from Japan | ãµã†ã›ã‚“ Fu-sen. (old: 2 8 6)
I compiled on my own openssl-1.0.1g in precise 5.7.1 with:
I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.
Code: Select all
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install
Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.watchdog wrote:Code: Select all
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS make new2dir make install
That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.watchdog wrote: I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.
True. However you may get a "failed" message. This is because the mirrors haven't caught up yet. This will be resolved in the next 24hrs I expect, however, since the heartbleed bug is mostly server side it may take longer. Anyone notice a large slow down in traffic speeds? I will add more mirrors at some point to default slacko for more choice. I added aarnet to my install and it worked fine as the mirror has caught up.bigpup wrote:The "Updates Manager" will have the openSSL 1.0.1g files for download and install.
Puppy Linux Blog - contact me for access
Sorry. I have misunderstood the OpenSSL security advisory:01micko wrote:Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.watchdog wrote:Code: Select all
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS make new2dir make install
http://www.openssl.org/news/secadv_20140407.txt
Thanks for the explanation. I have learned something new to me.01micko wrote:That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.watchdog wrote: I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.
No need for apologies. Glad you learned something. I didn't mean to come across harsh.. it's what happens when you bang your head on a thousand word essay.watchdog wrote:Sorry. I have misunderstood the OpenSSL security advisory:
http://www.openssl.org/news/secadv_20140407.txt.
Puppy Linux Blog - contact me for access
In the case of Precise, there is the choice to introduce .deb package of Ubuntu into.
However, Puppy was not able to put latest OpenSSL as a result that I tried the introduction of the .deb package.
This correspondence is offered with a patch in Ubuntu.
It is for this purpose to have had to make .pet package.
However, Puppy was not able to put latest OpenSSL as a result that I tried the introduction of the .deb package.
This correspondence is offered with a patch in Ubuntu.
It is for this purpose to have had to make .pet package.
[b]BALLOON a.k.a. Fu-sen.[/b] from Japan | ãµã†ã›ã‚“ Fu-sen. (old: 2 8 6)
Because they are too few or too many?...01micko wrote:it's what happens when you bang your head on a thousand word essay.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==
-
- Posts: 88
- Joined: Mon 22 May 2006, 18:43
Just installed (successfully) the Slackware 14 *.txz for this, found at http://pkgs.org/slackware-14.0/slackwar ... 0.txz.html -- X-Slacko 1.1 has OpenSSL 1.0.1e by default, and I'm pretty sure that's an affected version.
updated .pet package of OpenSSL
Because the non-application of the library was discovered in OpenSSL of the .pet file,
I stopped an exhibition once.
Because an application state changes by a version of OpenSSL,
I cannot produce an appropriate package.
The person knowing a lot about a factpack of OpenSSL demands support.
As there is already a contribution,
There seems to be the means to apply the following package:
http://pkgs.org/download/openssl
I stopped an exhibition once.
Because an application state changes by a version of OpenSSL,
I cannot produce an appropriate package.
The person knowing a lot about a factpack of OpenSSL demands support.
As there is already a contribution,
There seems to be the means to apply the following package:
http://pkgs.org/download/openssl
[b]BALLOON a.k.a. Fu-sen.[/b] from Japan | ãµã†ã›ã‚“ Fu-sen. (old: 2 8 6)
When you put .deb package in Precise and apply the latest edition of OpenSSL normally, it is in this condition:
Please be careful about coping by a patch application not version update in Ubuntu.
The Japanese Edition member confirmed that the update from a Puppy Package Manager was possible.
At this chance you update a factpack and it is the latest and will have it.
After having started of Puppy Package Manager,
Configure package manager - Update now (Reference Attachment File)
The package to apply is openssl_1.0.1 and libssl1.0.0_1.0.1.
Code: Select all
sh-4.1# openssl version
OpenSSL 1.0.1 14 Mar 2012
sh-4.1# openssl version -b
built on: Mon Apr 7 20:31:55 UTC 2014
The Japanese Edition member confirmed that the update from a Puppy Package Manager was possible.
At this chance you update a factpack and it is the latest and will have it.
After having started of Puppy Package Manager,
Configure package manager - Update now (Reference Attachment File)
The package to apply is openssl_1.0.1 and libssl1.0.0_1.0.1.
- Attachments
-
- capture8957.jpg
- (140.6 KiB) Downloaded 2088 times
Last edited by balloon on Thu 10 Apr 2014, 04:31, edited 6 times in total.
[b]BALLOON a.k.a. Fu-sen.[/b] from Japan | ãµã†ã›ã‚“ Fu-sen. (old: 2 8 6)
balloon,
Thanks for posting about this and offering a fix!
Thanks for posting about this and offering a fix!
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)
When I was a kid I wanted to be older.... This is not what I expected
YaPI(any iso installer)