Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 17 Sep 2014, 05:31
All times are UTC - 4
 Forum index » House Training » Bugs ( Submit bugs )
CVE-2014-0160 OpenSSL Heartbleed
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 4 [51 Posts]   Goto page: Previous 1, 2, 3, 4 Next
Author Message
chillinfart

Joined: 22 May 2006
Posts: 43

PostPosted: Wed 09 Apr 2014, 15:58    Post subject:  

bigpup wrote:
In Slacko 5.7

The "Updates Manager" will have the openSSL 1.0.1g files for download and install.


OpenSSl 1.0.1g now available from official Slackware repo.

Anyway, thanks balloon for hotfix.
Back to top
View user's profile Send private message 
starhawk

Joined: 22 Nov 2010
Posts: 2865
Location: Everybody knows this is nowhere...

PostPosted: Wed 09 Apr 2014, 18:07    Post subject:  

Just installed (successfully) the Slackware 14 *.txz for this, found at http://pkgs.org/slackware-14.0/slackware-patches-i486/openssl-1.0.1g-i486-1_slack14.0.txz.html -- X-Slacko 1.1 has OpenSSL 1.0.1e by default, and I'm pretty sure that's an affected version.
_________________
Loving X-Slacko 2.1!
Custom Build: HP MOCA-AR + Core2Duo T7200 + 4gb RAM + 256gb SSD
...just needs a pretty case Wink
Back to top
View user's profile Send private message 
balloon


Joined: 02 Oct 2013
Posts: 45
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 21:53    Post subject: updated .pet package of OpenSSL  

Because the non-application of the library was discovered in OpenSSL of the .pet file,
I stopped an exhibition once.
Because an application state changes by a version of OpenSSL,
I cannot produce an appropriate package.
The person knowing a lot about a factpack of OpenSSL demands support.

As there is already a contribution,
There seems to be the means to apply the following package:
http://pkgs.org/download/openssl

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
balloon


Joined: 02 Oct 2013
Posts: 45
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 22:46    Post subject:  

When you put .deb package in Precise and apply the latest edition of OpenSSL normally, it is in this condition:
Code:
sh-4.1# openssl version
OpenSSL 1.0.1 14 Mar 2012
sh-4.1# openssl version -b
built on: Mon Apr  7 20:31:55 UTC 2014

Please be careful about coping by a patch application not version update in Ubuntu.

The Japanese Edition member confirmed that the update from a Puppy Package Manager was possible.
At this chance you update a factpack and it is the latest and will have it.
After having started of Puppy Package Manager,
Configure package manager - Update now (Reference Attachment File)
The package to apply is openssl_1.0.1 and libssl1.0.0_1.0.1.
capture8957.jpg
 Description   
 Filesize   140.6 KB
 Viewed   1261 Time(s)

capture8957.jpg


_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/

Last edited by balloon on Thu 10 Apr 2014, 00:31; edited 6 times in total
Back to top
View user's profile Send private message Visit poster's website 
bigpup


Joined: 11 Oct 2009
Posts: 5134
Location: Charleston S.C. USA

PostPosted: Wed 09 Apr 2014, 22:49    Post subject:  

balloon,

Thanks for posting about this and offering a fix!

_________________
I have found, in trying to help people, that the things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
Back to top
View user's profile Send private message 
xmf-149

Joined: 02 Aug 2013
Posts: 17

PostPosted: Thu 10 Apr 2014, 01:57    Post subject: hi ppl this is outrageous  

as of now after updating PPM i still dont see an updated version of openssl and still get the output you just posted. is it important for me to uninstall the current version anyway and how?

does the web browser and other internet apps indirectly use that library?

i hope you all know this bug was planted by a government agent posing as a "volunteer developer" who contributed real code improvement while slipping this in at the same time, so they have definitely been exploiting it

this reminded me of how i dislike passwords anyway and gpg should just be used for every website
Back to top
View user's profile Send private message 
balloon


Joined: 02 Oct 2013
Posts: 45
Location: Miyagi, Japan

PostPosted: Thu 10 Apr 2014, 07:34    Post subject:  

It is said that this problem has a problem on the server side in particular.
Probably there will be few people using Puppy as a server.

However, in the case of Puppy,
I was convinced that what the contents of the file were included in as released memory information was a big problem.
(When it is Frugal Install. As for this, many people should choose it)

I hurried correspondence in Puppy from this importance.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
OscarTalks

Joined: 05 Feb 2012
Posts: 873
Location: London, England

PostPosted: Thu 10 Apr 2014, 10:28    Post subject:  

Hope it is OK for me to mention in this thread that I have compiled OpenSSL 1.0.1g in Dpup Wheezy if anyone would like to test it.
http://www.murga-linux.com/puppy/viewtopic.php?t=80546&start=676
Precise and/or Slackware 14.0 packages will usually not work in Wheezy because (among other things) they have glibc 2.15 and Wheezy has glibc 2.13

_________________
Oscar in England

Back to top
View user's profile Send private message 
balloon


Joined: 02 Oct 2013
Posts: 45
Location: Miyagi, Japan

PostPosted: Fri 11 Apr 2014, 04:12    Post subject: Handling of openssl.cnf in Puppy  

Even a Japanese forum examined correspondence of OpenSSL:

http://sakurapup.browserloadofcoolness.com/viewtopic.php?t=2581

It becomes the argument whether a package updates "openssl.cnf" here,
or it leave an old file.
openssl.cnf is in /etc/ssl .

The Ubuntu package overwrites in openssl.cnf to change the encryption,
but Puppy Linux does not update openssl.cnf for a long time.
This has indication considered not to update it daringly.

Please teach the person understanding handling of openssl.cnf.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
balloon


Joined: 02 Oct 2013
Posts: 45
Location: Miyagi, Japan

PostPosted: Fri 11 Apr 2014, 04:24    Post subject: Updated in Package Manager by Slacko  

I tried update in Slacko to convince information.

We can update OpenSSL in a procedure same as Precise.
After having started a Puppy Package Manager,
Configure package manager(The right of Uninstall) - Update Now
Package Manger gets the latest factpack by this operation from Slackware.
2 installation packages: openssl-1.0.1g openssl-solibs-1.0.1g

As a result of having updated it by this method, the openssl version is in this condition:
Code:
# openssl version
OpenSSL 1.0.1g 7 Apr 2014
# openssl version -b
built on: Tue Apr  8 09:00:45 CDT 2014

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
shinobar


Joined: 28 May 2009
Posts: 2630
Location: Japan

PostPosted: Fri 11 Apr 2014, 04:41    Post subject: Re: Handling of openssl.cnf in Puppy  

To all, especially who concern the woof(Puppy builder).

As balloon says, we found the file /etc/ssl/openssl.cnf built in most of Puppy is too old.
The file will be updated when we update the openssl package.
It maybe alright, but how do you think why the woof keeps this old config file?

The file /etc/ssl/openssl.cnf is fixed as the old one by the woof even new version of openssl is installed by the Puppy builder. Maybe Barry has implemented in the woof2, and now the woof-CE follows.
Therefore, the files /etc/ssl/openssl.cnf in most of Puppies, Precise Puppy, Slacko, Dpup, and etc.. are now all the same.

_________________
Google Chrome portable
Downloads for Puppy Linux http://shino.pos.to/linux/downloads.html
Back to top
View user's profile Send private message Visit poster's website 
pemasu


Joined: 08 Jul 2009
Posts: 5463
Location: Finland

PostPosted: Fri 11 Apr 2014, 06:31    Post subject:  

Quote:
woof-ce-december2/woof-out_x86_x86_debian_wheezy/packages-templates/openssl/etc/ssl/openssl.cnf


The replacement happens due to openssl package-template.
Back to top
View user's profile Send private message 
shinobar


Joined: 28 May 2009
Posts: 2630
Location: Japan

PostPosted: Fri 11 Apr 2014, 07:13    Post subject: openssl.cnf  

pemasu wrote:
Quote:
woof-ce-december2/woof-out_x86_x86_debian_wheezy/packages-templates/openssl/etc/ssl/openssl.cnf


The replacement happens due to openssl package-template.

Right.
The question is why Barry put this, and how we interpret his intention.

_________________
Google Chrome portable
Downloads for Puppy Linux http://shino.pos.to/linux/downloads.html
Back to top
View user's profile Send private message Visit poster's website 
mavrothal


Joined: 24 Aug 2009
Posts: 1615

PostPosted: Fri 11 Apr 2014, 13:27    Post subject: Re: openssl.cnf  

shinobar wrote:

The question is why Barry put this, and how we interpret his intention.

That's a question for BK Wink
but I would guess that he never bother to update it after whatever looked good at the time.
As a matter of fact all the is missing is the time stamp policy configuration

_________________
Kids all over the world go around with an XO laptop. They deserve one puppy (or many) too Very Happy
Back to top
View user's profile Send private message 
balloon


Joined: 02 Oct 2013
Posts: 45
Location: Miyagi, Japan

PostPosted: Fri 11 Apr 2014, 20:24    Post subject: Re: openssl.cnf  

mavrothal wrote:

but I would guess that he never bother to update it after whatever looked good at the time.
As a matter of fact all the is missing is the time stamp policy configuration

As for this, the Ubuntu package updates openssl.cnf this time, but do you think that it is not good?
I want the clear answer. (that is not imagination)

Other distribution is thought to update openssl.cnf.
This is because it is necessary to change a coding logic for security enhancement.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Precise-571JP (Japanese Edition)
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 2 of 4 [51 Posts]   Goto page: Previous 1, 2, 3, 4 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » House Training » Bugs ( Submit bugs )
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0959s ][ Queries: 12 (0.0118s) ][ GZIP on ]