Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 24 Nov 2017, 11:28
All times are UTC - 4
 Forum index » Off-Topic Area » Security
"Low", "Medium" & “High” severity openssl notices/patches
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [27 Posts]   Goto page: 1, 2 Next
Author Message
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Wed 21 Sep 2016, 06:57    Post subject:  "Low", "Medium" & “High” severity openssl notices/patches  

...jeez, they are already cracking 1.1.0 openssl branch?? That was just released in August! Remember, 1.0.1 branch support stops the end of this December. More than a quite a few pups in Ally's repositories are affected....wonder how many users actually know about this or will ever know until it is....???

I sometimes think, Flash, the Murga-site needs some kind of popup or colored red-heading warning for the causal user (of the many puppies) who only sporadically drop by. These people may never know (until it is too late) that they may already have been pwned using a not critically updated puppy OS. These people either don't have the ability and/or time to stay on top of every security issue a puppy can present. Even when they try to go to their OS thread, where many of the builders/maintainers put critical updates (like openssl) in the thread, the updates are not made clear that they are even there. Color, bold, loud in your face notices would help mitigate that.

Some day, I am afraid, this is all going to come back and bite puppy land overall. It only takes one nasty instance, from a widely used distro, for all those years of puppy & pup-related goodwill to disappear. But, alas, guess this is just my opinion and maybe I am too paranoid.

Still, openssl is serious, despite what some here on murga think they know about how attacks to it operate.......those attacks, continually evolving, are the number one vector hackers use to go after any online financial online info moving around..... Sad

http://www.securityweek.com/openssl-patch-high-severity-vulnerability-0

Last edited by belham2 on Thu 02 Nov 2017, 13:16; edited 1 time in total
Back to top
View user's profile Send private message 
bark_bark_bark

Joined: 05 Jun 2012
Posts: 1931
Location: Wisconsin USA

PostPosted: Wed 21 Sep 2016, 08:02    Post subject:  

I think it's time though that we made the switch from openssl to LibreSSL.
_________________
....
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2163

PostPosted: Thu 22 Sep 2016, 11:51    Post subject:  

As they said, the OpenSSL team have released a update/fix today https://www.openssl.org/source/ ... but as of yet that's not rolled through the Debian mirrors. I did get some other updates today when I ran DebianDog apt-get update; apt-get upgrade, but still showing 1.0.1t in synaptic and not the 1.0.1u newer version.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1492
Location: Italy

PostPosted: Thu 22 Sep 2016, 15:52    Post subject:  

I have tested during a long time the previous release of openssl-1.0.2h in puppy 4.31 and wary-racy so I hope for the best sharing the new compiled openssl-1.0.2i for puppy4 and wary.

openssl-1.0.2i-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkRW1WVjJMN1h0Q0U/view?usp=sharing

openssl-1.0.2i_DEV-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkUXFwWi1TeUQ3N1k/view?usp=sharing

openssl-1.0.2i_DOC-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkaHVyaFUtRExma2s/view?usp=sharing

openssl-1.0.2i-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkb3NmZWNGYXlzbjQ/view?usp=sharing

openssl-1.0.2i_DEV-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkOHFqdDZfMGZPTFU/view?usp=sharing

openssl-1.0.2i_DOC-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkNUZXTjdtSEl4TGs/view?usp=sharing
Back to top
View user's profile Send private message 
6502coder


Joined: 23 Mar 2009
Posts: 405
Location: Western United States

PostPosted: Wed 28 Sep 2016, 18:44    Post subject:  

Thanks watchdog. 1.0.2i has apparently already been superceded by 1.0.2j, in light of CVE-2016-7052. Does this affect your Puppy4 and Wary PETs?
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1492
Location: Italy

PostPosted: Wed 28 Sep 2016, 23:43    Post subject:  

6502coder wrote:
Thanks watchdog. 1.0.2i has apparently already been superceded by 1.0.2j, in light of CVE-2016-7052. Does this affect your Puppy4 and Wary PETs?


Quote:
CVE-2016-7052 (OpenSSL advisory) [Moderate severity] 26th September 2016:
This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016. A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. Reported by Bruce Stephens and Thomas Jakobi.

Fixed in OpenSSL 1.0.2j (Affected 1.0.2i)


You can test your browser with your current openssl at:

https://www.ssllabs.com/ssltest/viewMyClient.html

I'm now in racy using palemoon and openssl-1.0.2i and my result is:

Quote:
Your user agent has good protocol support.


I'll compile openssl-1.0.2j in puppy 4.31 and wary in my spare time sharing the packages.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1492
Location: Italy

PostPosted: Thu 29 Sep 2016, 01:18    Post subject:  

openssl-1.0.2j-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkOWtMRzZlMzVKdW8/view?usp=sharing

openssl-1.0.2j_DEV-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkSDF2V2FENC1KVDQ/view?usp=sharing

openssl-1.0.2j_DOC-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkbXk5QUozNktkbEE/view?usp=sharing

openssl-1.0.2j-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkNDI0bzMtS0F2Nk0/view?usp=sharing

openssl-1.0.2j_DEV-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkQkVHYU5zRUV4S2s/view?usp=sharing

openssl-1.0.2j_DOC-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkSmlaVjZFUGtweEk/view?usp=sharing
Back to top
View user's profile Send private message 
6502coder


Joined: 23 Mar 2009
Posts: 405
Location: Western United States

PostPosted: Fri 30 Sep 2016, 00:48    Post subject:  

Thanks again, watchdog. My apologies, I should have noticed that the "j" fix was only a moderate severity issue. You da man!
Back to top
View user's profile Send private message 
Robert123

Joined: 20 May 2016
Posts: 371
Location: Pacific

PostPosted: Fri 30 Sep 2016, 01:11    Post subject: Watchdog thanks  

Hi Watchdog,

Many thanks for the openssl update. Want to take this opportunity to thank you for the work you do for Wary and Puppy 4 and sacrificing a lot of your time to do so.

Robert

_________________
Devuan Linux, Stardust 013 (4.31) updated https://archive.org/details/Stardustpup013glibc2.10
s57(2018)barebonehttps://sourceforge.net/projects/puppy-linux-minimal-builds/files/s57%282018%29barebones.iso/download
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1492
Location: Italy

PostPosted: Fri 30 Sep 2016, 03:18    Post subject:  

The openssl-1.0.2j-w5 update works for me also in lucid. You can test it in other usupported puppies. For still supported puppies you can wait and grab the needed updates from debian-slackware-ubuntu repositories.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1492
Location: Italy

PostPosted: Fri 30 Sep 2016, 04:11    Post subject: Re: Watchdog thanks  

Robert123 wrote:
Hi Watchdog,

Many thanks for the openssl update. Want to take this opportunity to thank you for the work you do for Wary and Puppy 4 and sacrificing a lot of your time to do so.

Robert


Many thanks. Puppy is my hobby and so I play with it. But we all might thank the developers of puppy (BK, 01micko, 666philb, jamesbond and the others we know) who put their skills in this enterprise.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Sat 01 Oct 2016, 07:52    Post subject:  

watchdog wrote:
openssl-1.0.2j-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkOWtMRzZlMzVKdW8/view?usp=sharing

openssl-1.0.2j_DEV-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkSDF2V2FENC1KVDQ/view?usp=sharing

openssl-1.0.2j_DOC-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkbXk5QUozNktkbEE/view?usp=sharing

openssl-1.0.2j-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkNDI0bzMtS0F2Nk0/view?usp=sharing

openssl-1.0.2j_DEV-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkQkVHYU5zRUV4S2s/view?usp=sharing

openssl-1.0.2j_DOC-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4UZBeFkSmlaVjZFUGtweEk/view?usp=sharing



Watchdog, been meaning to post and reiterate what Robert123 said. 'Thank you' for compiling these.

I've a question about these: is there any reason the wary (w5) versions you compiled would not work in other 32-bit pups? Say like Micko's & Peebee's pups over the past year (specifically on the ones where they use Ubuntu Xenial as the base)? Or do your compiles only work for the Slacko-based pups??

I know you said we can try them in "other pup distros", but would I wreck a pup just by installing a compiled ssl.pet? (sorry if this sounds and/or is a stupid question).

Thanks for any reply!!
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 1492
Location: Italy

PostPosted: Sat 01 Oct 2016, 09:12    Post subject:  

belham2 wrote:

I've a question about these: is there any reason the wary (w5) versions you compiled would not work in other 32-bit pups? Say like Micko's & Peebee's pups over the past year (specifically on the ones where they use Ubuntu Xenial as the base)? Or do your compiles only work for the Slacko-based pups??


I know that wary's libraries are built in T2 (linux from scratch). My experience suggests that what is compiled in wary has a large compatibility in more recent puppies. I tested my openssl-1.0.2j-w5 also in lucid and it works. Now I'm using old puppies and I have not tested my openssl in more recent puppies because there is no need. I think that when you have an official mantained repository where you can grab what you need then it is more secure to use the pathched openssl they propose (like ubuntu's packages). My compiled openssl-1.0.2j is intended for that puppies where there are not alternative packages to install to get a bugfixed openssl.

Quote:
I know you said we can try them in "other pup distros", but would I wreck a pup just by installing a compiled ssl.pet? (sorry if this sounds and/or is a stupid question).


I test new packages with the usual care in my puppies: make a backup of the savefile and keep the new installed test packages only if they work after a careful testing. Someone says that core libraries should not be upgraded: I'm desperate because I don't want to abandon my old puppies for the security bugs. There is a lot of old hardware out there which needs old puppies.
Back to top
View user's profile Send private message 
slavvo67

Joined: 12 Oct 2012
Posts: 1427
Location: The other Mr. 305

PostPosted: Sun 02 Oct 2016, 18:19    Post subject:  

Thanks for the notification on this. I just compiled a pet for RUXerus64, which will also work in Barry's Xerus64 under the RUXerus64 link:

http://www.murga-linux.com/puppy/viewtopic.php?p=926633#926633
Back to top
View user's profile Send private message 
sindi

Joined: 16 Aug 2009
Posts: 733
Location: Ann Arbor MI USA

PostPosted: Tue 03 Jan 2017, 15:28    Post subject: openssl update lupu 5.2.5  

Installed the j update and nothing broke that I know of. lupu 5.2.5
(which I use I think because it supports orinoco wifi cards).
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [27 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0885s ][ Queries: 11 (0.0103s) ][ GZIP on ]