CVE-2014-0160 OpenSSL Heartbleed

[xmf-149]

as of now after updating PPM i still dont see an updated version of openssl and still get the output you just posted. is it important for me to uninstall the current version anyway and how?

does the web browser and other internet apps indirectly use that library?

i hope you all know this bug was planted by a government agent posing as a "volunteer developer" who contributed real code improvement while slipping this in at the same time, so they have definitely been exploiting it

this reminded me of how i dislike passwords anyway and gpg should just be used for every website

[balloon]

It is said that this problem has a problem on the server side in particular.
Probably there will be few people using Puppy as a server.

However, in the case of Puppy,
I was convinced that what the contents of the file were included in as released memory information was a big problem.
(When it is Frugal Install. As for this, many people should choose it)

I hurried correspondence in Puppy from this importance.

[OscarTalks]

Hope it is OK for me to mention in this thread that I have compiled OpenSSL 1.0.1g in Dpup Wheezy if anyone would like to test it.
http://www.murga-linux.com/puppy/viewto ... &start=676
Precise and/or Slackware 14.0 packages will usually not work in Wheezy because (among other things) they have glibc 2.15 and Wheezy has glibc 2.13

[balloon]

Even a Japanese forum examined correspondence of OpenSSL:

http://sakurapup.browserloadofcoolness. ... php?t=2581

It becomes the argument whether a package updates "openssl.cnf" here,
or it leave an old file.
openssl.cnf is in /etc/ssl .

The Ubuntu package overwrites in openssl.cnf to change the encryption,
but Puppy Linux does not update openssl.cnf for a long time.
This has indication considered not to update it daringly.

Please teach the person understanding handling of openssl.cnf.

[balloon]

I tried update in Slacko to convince information.

We can update OpenSSL in a procedure same as Precise.
After having started a Puppy Package Manager,
Configure package manager(The right of Uninstall) - Update Now
Package Manger gets the latest factpack by this operation from Slackware.
2 installation packages: openssl-1.0.1g openssl-solibs-1.0.1g

As a result of having updated it by this method, the openssl version is in this condition:

Code: Select all

# openssl version
OpenSSL 1.0.1g 7 Apr 2014
# openssl version -b
built on: Tue Apr  8 09:00:45 CDT 2014

[shinobar]

To all, especially who concern the woof(Puppy builder).

As balloon says, we found the file /etc/ssl/openssl.cnf built in most of Puppy is too old.
The file will be updated when we update the openssl package.
It maybe alright, but how do you think why the woof keeps this old config file?

The file /etc/ssl/openssl.cnf is fixed as the old one by the woof even new version of openssl is installed by the Puppy builder. Maybe Barry has implemented in the woof2, and now the woof-CE follows.
Therefore, the files /etc/ssl/openssl.cnf in most of Puppies, Precise Puppy, Slacko, Dpup, and etc.. are now all the same.

[pemasu]

woof-ce-december2/woof-out_x86_x86_debian_wheezy/packages-templates/openssl/etc/ssl/openssl.cnf

The replacement happens due to openssl package-template.

[shinobar]

woof-ce-december2/woof-out_x86_x86_debian_wheezy/packages-templates/openssl/etc/ssl/openssl.cnf

The replacement happens due to openssl package-template.

Right.
The question is why Barry put this, and how we interpret his intention.

[mavrothal]

The question is why Barry put this, and how we interpret his intention.

That's a question for BK
but I would guess that he never bother to update it after whatever looked good at the time.
As a matter of fact all the is missing is the time stamp policy configuration

[balloon]

but I would guess that he never bother to update it after whatever looked good at the time.
As a matter of fact all the is missing is the time stamp policy configuration

As for this, the Ubuntu package updates openssl.cnf this time, but do you think that it is not good?
I want the clear answer. (that is not imagination)

Other distribution is thought to update openssl.cnf.
This is because it is necessary to change a coding logic for security enhancement.

[8-bit]

Hope it is OK for me to mention in this thread that I have compiled OpenSSL 1.0.1g in Dpup Wheezy if anyone would like to test it.
http://www.murga-linux.com/puppy/viewto ... &start=676
Precise and/or Slackware 14.0 packages will usually not work in Wheezy because (among other things) they have glibc 2.15 and Wheezy has glibc 2.13

I have tried your Pet in Slacko 5.5 as well as Puppy Precise 5.71, and Puppy Blue (Quirky Tahr) in disguise) and it updated according to a check as the new version.

[shinobar]

Hope it is OK for me to mention in this thread that I have compiled OpenSSL 1.0.1g in Dpup Wheezy if anyone would like to test it.
http://www.murga-linux.com/puppy/viewto ... &start=676
Precise and/or Slackware 14.0 packages will usually not work in Wheezy because (among other things) they have glibc 2.15 and Wheezy has glibc 2.13

I have tried your Pet in Slacko 5.5 as well as Puppy Precise 5.71, and Puppy Blue (Quirky Tahr) in disguise) and it updated according to a check as the new version.

Do not install the pet for Dpup on other Puppies.
Debian installs the libraries in /usr/lib, remaining old libraries in /lib which Ubuntu and Slackware place.
For Dpup is for Dpup, not for other Puppies.

[fantazam]

For Puppy Precise 5.7.1 i installed these 2 packages and now i have updated openssl "OpenSSL 1.0.1g 7 Apr 2014"

https://launchpad.net/~george-edison55/ ... 1_i386.deb

https://launchpad.net/~george-edison55/ ... 1_i386.deb

[mikeslr]

Thanks fantazam,

For the links to the debs you found for Precise 5.71. They also apparently work to update openssl in Upup raring 3.9.9.2 and upup precise 3.8.3.

mikeslr

[shinobar]

Ubuntu provides its official deb packages for the fix.
For the Precise Puppy, tahr, you can get them from the Puppy Package Manager.
Follow the post by balloon.
http://murga-linux.com/puppy/viewtopic. ... 6&start=18

EDIT: Ubuntu does not provide the fix packages for raring.
See next post by balloon.

[balloon]

Oops, there are instructions,
The update with the Ubuntu package is not intended for Upup raring.
Ubuntu 13.04 Raring Ring already for the package update expire.(January, 2014)

The update of OpenSSL by Upup raring needs original build correspondence.
When this cannot support, As for the Internet connection of Rpup raring, danger increases.

[balloon]

To the main very important person showing .iso,

These security issues have a big influence.
Puppy Linux thinks that it is hard to receive the attack for a client use,
Damage when we received an attack to Puppy is heavy.
There are many tendencies that Puppy Linux packages it and does not update.
This situation is not good.

It is necessary to examine the release of .iso which updated OpenSSL.
(include the Windows .exe version occurring partly)

[shinobar]

For all Precise Puppy:
http://shino.pos.to/linux/puppy/openssl ... tu5.12.pet

It contains 2 libraries under /lib from libssl1.0.0_1.0.1-4ubuntu5.12_i386.deb,
/etc/ssl/openssl.cnf from openssl_1.0.1-4ubuntu5.12_i386.deb

Type next command on the terminal to see the openssl updated.

Code: Select all

# openssl version -b
built on: Mon Apr  7 20:31:55 UTC 2014

'Apr 7, 2014' is OK.

[augras]

Hi shinobar,
Thanks for that .pet.
Can i ask to you to make the same thing for raring 3.9.9.2 by pemasu ? Ubuntu raring do not receive any support since 2014-01-27 and there is any .deb for this update. So, if you can it will be a very good thing for raring users.
Thanks,
Philippe

[balloon]

As for the .pet file which Shinobar showed, Ubuntu package was made for the cause.

Ubuntu 13.04 is the situation that a package of OpenSSL is not shown now.
This is that it is difficult to offer .pet packag of most suitable OpenSSL for Upup Raring.
I suggest to a person using Upup Raring to stop use, This use continuation is bad.