Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 25 Nov 2014, 18:23
All times are UTC - 4
 Forum index » House Training » Bugs ( Submit bugs )
CVE-2014-0160 OpenSSL Heartbleed
Moderators: Flash, Ian, JohnMurga
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 4 Posts_count   Goto page: 1, 2, 3, 4 Next
Author Message
balloon


Joined: 02 Oct 2013
Posts: 46
Location: Miyagi, Japan

PostPosted: Tue 08 Apr 2014, 02:14    Post_subject:  CVE-2014-0160 OpenSSL Heartbleed
Sub_title: Main target: Precise & Slacko; Information stored in memory is performed outside release of
 

A bug of OpenSSL is discovered and becomes noisy now.

http://heartbleed.com/
http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
http://www.openssl.org/news/secadv_20140407.txt

As for the contents, "main memory is released".
I consider that this has a great effect on Puppy using Frugal.
Frugal saves a file in main memory structurally.
In other words this problem might let the contents of the file make outside release.
It is necessary to make the latest edition of OpenSSL a package.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/

Edited_times_total
Back to top
View user's profile Send_private_message Visit_website 
balloon


Joined: 02 Oct 2013
Posts: 46
Location: Miyagi, Japan

PostPosted: Tue 08 Apr 2014, 03:50    Post_subject:  Details: CVE-2014-0160 OpenSSL Heartbleed
Sub_title: I made OpenSSL which solved a problem .pet package.
 

Target OpenSSL is 1.0.1 - 1.0.1f. Before 1.0.0 version is inapplicable.
Target Puppy version (latest only):
  • Precise 5.7.1 (OpenSSL 1.0.1)
  • Slacko 5.7 (OpenSSL 1.0.1f)
Wary and Racy 5.5 is inapplicable (OpenSSL 1.0.0d)

(The .pet package which I showed here was updated.
Please be careful about these later sentences)

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/

Edited_time_total
Back to top
View user's profile Send_private_message Visit_website 
bigpup


Joined: 11 Oct 2009
Posts: 5386
Location: Charleston S.C. USA

PostPosted: Tue 08 Apr 2014, 21:59    Post_subject:  

In Slacko 5.7

The "Updates Manager" will have the openSSL 1.0.1g files for download and install.

_________________
I have found, in trying to help people, that the things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
Back to top
View user's profile Send_private_message 
ThoriumBlvd


Joined: 04 Oct 2013
Posts: 154
Location: N.E. USA

PostPosted: Wed 09 Apr 2014, 00:10    Post_subject:  

sorry for the X-post, but how can we ID the version in use? mine only says version 1 (SYSV) in properties.
_________________
.
Back to top
View user's profile Send_private_message 
bigpup


Joined: 11 Oct 2009
Posts: 5386
Location: Charleston S.C. USA

PostPosted: Wed 09 Apr 2014, 00:57    Post_subject:  

Did you try this:

run a terminal, input the command:
Code:
openssl version

_________________
I have found, in trying to help people, that the things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
Back to top
View user's profile Send_private_message 
balloon


Joined: 02 Oct 2013
Posts: 46
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 01:08    Post_subject:  

About pet package showing,
A problem may occur by application to treat SSL under the influence by the place for library.
Please be in particular careful about devx-related application movement.
When you discovered some problem, please announce it here.

There is no update plan of the package at a stage contributing this.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send_private_message Visit_website 
watchdog

Joined: 28 Sep 2012
Posts: 639

PostPosted: Wed 09 Apr 2014, 05:12    Post_subject:  

I compiled on my own openssl-1.0.1g in precise 5.7.1 with:

Code:
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install


I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.
Back to top
View user's profile Send_private_message 
01micko


Joined: 11 Oct 2008
Posts: 7841
Location: qld

PostPosted: Wed 09 Apr 2014, 06:25    Post_subject:  

watchdog wrote:

Code:
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install

Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.

watchdog wrote:

I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.

That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.

bigpup wrote:
The "Updates Manager" will have the openSSL 1.0.1g files for download and install.

True. However you may get a "failed" message. This is because the mirrors haven't caught up yet. This will be resolved in the next 24hrs I expect, however, since the heartbleed bug is mostly server side it may take longer. Anyone notice a large slow down in traffic speeds? I will add more mirrors at some point to default slacko for more choice. I added aarnet to my install and it worked fine as the mirror has caught up.

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send_private_message Visit_website 
watchdog

Joined: 28 Sep 2012
Posts: 639

PostPosted: Wed 09 Apr 2014, 07:14    Post_subject:  

01micko wrote:
watchdog wrote:

Code:
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install

Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.


Sorry. I have misunderstood the OpenSSL security advisory:

http://www.openssl.org/news/secadv_20140407.txt

01micko wrote:
watchdog wrote:

I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.

That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.


Thanks for the explanation. I have learned something new to me.
Back to top
View user's profile Send_private_message 
01micko


Joined: 11 Oct 2008
Posts: 7841
Location: qld

PostPosted: Wed 09 Apr 2014, 08:08    Post_subject:  

watchdog wrote:
Sorry. I have misunderstood the OpenSSL security advisory:

http://www.openssl.org/news/secadv_20140407.txt.

No need for apologies. Glad you learned something. I didn't mean to come across harsh.. it's what happens when you bang your head on a thousand word essay. Rolling Eyes

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send_private_message Visit_website 
8-bit


Joined: 03 Apr 2007
Posts: 3393
Location: Oregon

PostPosted: Wed 09 Apr 2014, 09:07    Post_subject:  

In Blue Pup version 3, I get this for version of openssl.

OpenSSL 1.0.1f 6 Jan 2014

I do not know what f in the version represents though.
Back to top
View user's profile Send_private_message 
balloon


Joined: 02 Oct 2013
Posts: 46
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 10:03    Post_subject:  

8-bit wrote:
In Blue Pup version 3, I get this for version of openssl.

OpenSSL 1.0.1f 6 Jan 2014

I do not know what f in the version represents though.

Unfortunately it is the object of this problem.
Please try .pet package.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send_private_message Visit_website 
ally


Joined: 19 May 2012
Posts: 862
Location: lincoln

PostPosted: Wed 09 Apr 2014, 10:15    Post_subject:  

thanks balloon

working well on slacko 5.7

Smile
Back to top
View user's profile Send_private_message Visit_website 
balloon


Joined: 02 Oct 2013
Posts: 46
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 10:25    Post_subject:  

In the case of Precise, there is the choice to introduce .deb package of Ubuntu into.
However, Puppy was not able to put latest OpenSSL as a result that I tried the introduction of the .deb package.
This correspondence is offered with a patch in Ubuntu.
It is for this purpose to have had to make .pet package.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send_private_message Visit_website 
mavrothal


Joined: 24 Aug 2009
Posts: 1802

PostPosted: Wed 09 Apr 2014, 12:56    Post_subject:  

01micko wrote:
it's what happens when you bang your head on a thousand word essay. Rolling Eyes

Because they are too few or too many?... Twisted Evil

_________________
Kids all over the world go around with an XO laptop. They deserve one puppy (or many) too Very Happy
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 4 Posts_count   Goto page: 1, 2, 3, 4 Next
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » House Training » Bugs ( Submit bugs )
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1059s ][ Queries: 12 (0.0227s) ][ GZIP on ]