Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 15 Oct 2018, 10:52
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Openssl update to 1.0.1k
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [39 Posts]   Goto page: 1, 2, 3 Next
Author Message
8Geee


Joined: 12 May 2008
Posts: 1696
Location: N.E. USA

PostPosted: Sat 17 Jan 2015, 21:00    Post subject:  Openssl update to 1.0.1k
Subject description: also 1.0.0p and 0.9.8zd
 

A new security update to openssl. If one has the prior version (1.0.1j 1.0.0o, or 0.9.88zc) there is at least one reason to upgrade. The "no-ssl3" fix can be worked-around, causing a denial of service (DoS). This latest version repairs that flaw. There is a write up in vunerabilities .

The tar.bz can be found here along with an "L" version addressing a bug in windows/mac not security-related.

**Edit** The above link to the download is for developers/programmers of Puppies other than Slacko. Puppies based on Slackware can view any needed D/L's in MENU--> SETUP--> Updates Manager. Appologies for the lack of clarity.

_________________
Linux user #498913

Some people need to reimagine their thinking.
Je kunt een houten lucifer uitblazen,
maar je kunt geen bosbrand uitblazen!
Back to top
View user's profile Send private message 
Scooby

Joined: 03 Mar 2012
Posts: 601

PostPosted: Mon 19 Jan 2015, 17:31    Post subject:  

Lucky for me then that I got the k-version Very Happy
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1671
Location: Italy

PostPosted: Tue 20 Jan 2015, 14:01    Post subject:  

I share my newly compiled packages.

openssl-0.9.8ze-p4-i486.pet:

https://copy.com/IFkdp4Q6p3yBmtSw

openssl_DEV-0.9.8ze-p4-i486.pet:

https://copy.com/Tr3DzjaU9Hv2gppG

openssl-1.0.0q-w5-i486.pet:

https://copy.com/AQLQAw0tDFPviRD6

openssl_DEV-1.0.0q-w5-i486.pet:

https://copy.com/64j4gNAfKr4qgDR4
Back to top
View user's profile Send private message 
mikeslr


Joined: 16 Jun 2008
Posts: 2680
Location: 500 seconds from Sol

PostPosted: Fri 23 Jan 2015, 17:39    Post subject: Thanks for the pets, but  

Hi watchdog,

I greatly appreciate your efforts to maintain Puppy Linux as a safe computing environment, and especially that you share your hard work with others.

Thank you for your recent pets.

I explore many Puppy variations. At any time I usually have five or more Pups which I try to keep up to date. The "oldest" Ubuntu based is the original Lupu 5.28. The most recent, Unicorn. My "Slacko" based are Slacko 5.6, Banksy based on 5.6, and rufwoof's variant based, I believe, on Slacko 5.3.3. I also have Carolina-Vanguard Release 2.

As you know, applications built for one Pup variant may not be compatible in Pups built from other sources. So it would be helpful if your pets' description indicated which Pup variant they were built for, and perhaps in which other Pup variants they might properly function.

If I were to guess, it would be that openssl-0.9.8ze-p4-i486.pet should function in debian and ubuntu based Pups; while openssl-1.0.0q-w5-i486.pet should function in wary/racy/saluki and the Carolinas.

But that's just a guess.

Thanks in advance.

mikesLr
Back to top
View user's profile Send private message 
Semme


Joined: 07 Aug 2011
Posts: 7835
Location: World_Hub

PostPosted: Fri 23 Jan 2015, 18:18    Post subject:  

Slackware security advisories >> Ubuntu security notices << Pup requires manual update to stay current..

I don't profess to know much, but it surprises me that active members don't know where to look for these.

Furthermore, pay attention to what's on the table for each variant..
Back to top
View user's profile Send private message 
musher0

Joined: 04 Jan 2009
Posts: 12788
Location: Gatineau (Qc), Canada

PostPosted: Fri 23 Jan 2015, 23:04    Post subject:  

Semme wrote:
Slackware security advisories >> Ubuntu security notices << Pup requires manual update to stay current..

I don't profess to know much, but it surprises me that active members don't know where to look for these.

Furthermore, pay attention to what's on the table for each variant..


Thanks, Semme.

I'm on slacko-6.0b right now, and the slackware package you mentioned above
installed itself "just by clicking on it".

BFN.

musher0

_________________
musher0
~~~~~~~~~~
Fidèle elle commença, ainsi elle restera. (Prov. canadien) /
Faithful she began, so will she stay. (Canadian prov.)

Last edited by musher0 on Mon 26 Jan 2015, 02:26; edited 1 time in total
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1671
Location: Italy

PostPosted: Fri 23 Jan 2015, 23:13    Post subject:  

@mikeslr

I compiled openssl for the only two old puppies I mantain which have not patches in official repositories. They are puppy 4.31 (the packages should work in all puppies of 4.xx series) and wary-racy (the packages should work in every release of wary-racy). For the other puppies you can easily find updated openssl in official repositories of other distros. Slacko 5.3x is slackware 13.37 based so you should look at:

http://mirrors.slackware.com/slackware/slackware-13.37/patches/packages/

(install patched openssl and openssl-solibs).

Lucid is ubuntu lucid based and you should look at:

http://packages.ubuntu.com/lucid-updates/allpackages

(install patched openssl and libssl).

And so on. For recent puppies whose official repositories are still mantained you can just update packages in PPM and reinstall openssl by PPM. Some recent puppy have quickpet-updates managers: in tahr you just run quickpet. I don't know now if slacko 5.6 or 5.7 slackware 14.0 based have openssl patches in update manager. I'm now back to wary: my first love. I hope it's more clear.
Back to top
View user's profile Send private message 
darry1966


Joined: 26 Feb 2012
Posts: 898

PostPosted: Fri 23 Jan 2015, 23:35    Post subject:  

Posted at 412/421 Forever site.

http://sourceforge.net/projects/old412forever/files/Emergency%20Updates/openssl-0.9.8ze-p4-i486.pet/download
Back to top
View user's profile Send private message 
darry1966


Joined: 26 Feb 2012
Posts: 898

PostPosted: Sat 24 Jan 2015, 01:32    Post subject:  

Please excuse my manners. Thank you Watchdog for the update and your tireless vigilance supporting old Puppies.
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11170

PostPosted: Sat 24 Jan 2015, 06:56    Post subject:  

Quote:
The "no-ssl3" fix can be worked-around, causing a denial of service (DoS).

so since I am not running a server do I need to bother with these 'fixes' ?

mike
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1671
Location: Italy

PostPosted: Sun 25 Jan 2015, 08:55    Post subject:  

I am not an expert so I am asking to you. Why all linux distros provide openssl authomatic updates to our pcs for this patch? Is there a possibility that our puppy pcs take acting as servers as consequence of malicious software? I also use sometimes to boot an old puppy and to surf the internet without security fears mantaining an updated puppy only to enjoy playing with softwares and online banking. How much have you to take care for security bugs in puppy softwares and in what circumstances? Allthough I think having an updated openssl package is one more our choice.
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11170

PostPosted: Sun 25 Jan 2015, 09:01    Post subject:  

Ok well from what I read this security flaw applies to server usage...it does not turn your system into a server. In other words for desktop usage/internet browsing it appears the update/fix is not required.

Just wanted to clarification before altering these core libraries.... I previously read the original problem did not apply to 0.9.8 but it appears this is no longer the case.

The bash update seems to be of similar nature...ie relevant to servers only.

mike
Back to top
View user's profile Send private message 
Semme


Joined: 07 Aug 2011
Posts: 7835
Location: World_Hub

PostPosted: Mon 26 Jan 2015, 09:35    Post subject:  

Not that I understand "all things Internet," correct. Unless you're running a server, fix *not* required. Sensing an unsatisfactory response to Mikes initial post, I'm all for challenging folks to think, question and understand for themselves whether they should overreact to these type of advisories.

Very Happy Why bother? Because I possess a sense of responsibility.
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11170

PostPosted: Tue 27 Jan 2015, 07:24    Post subject:  

I take precautions when necessary.... just trying to acertain if this is necessary. All info points to a server vunerability and takeover.

In the library where it appears to have no firewall... all ports are closed though....perhaps because I am not running a server.

mike
Back to top
View user's profile Send private message 
robert_m

Joined: 02 Feb 2016
Posts: 15
Location: Monterey Bay, California

PostPosted: Sat 06 Feb 2016, 20:25    Post subject:  

I am new to Puppy, and have Puppy 5.7.1 which I intend to use as portable desktop and to carry an encrypted file of financial information and passwords.

I have not figured out if openssl is part of that solution, but I checked my version
Code:
# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 15 15:27:09 UTC 2013
platform: debian-i386
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Do I need to upgrade? If so, can I do it with the package manager?

My thanks in advance,

_________________
- Rob M.
Puppy in My Pocket
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 3 [39 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0625s ][ Queries: 13 (0.0074s) ][ GZIP on ]