CVE-2014-0160 OpenSSL Heartbleed

[8-bit]

Hope it is OK for me to mention in this thread that I have compiled OpenSSL 1.0.1g in Dpup Wheezy if anyone would like to test it.
http://www.murga-linux.com/puppy/viewto ... &start=676
Precise and/or Slackware 14.0 packages will usually not work in Wheezy because (among other things) they have glibc 2.15 and Wheezy has glibc 2.13

I have tried your Pet in Slacko 5.5 as well as Puppy Precise 5.71, and Puppy Blue (Quirky Tahr) in disguise) and it updated according to a check as the new version.

[shinobar]

Hope it is OK for me to mention in this thread that I have compiled OpenSSL 1.0.1g in Dpup Wheezy if anyone would like to test it.
http://www.murga-linux.com/puppy/viewto ... &start=676
Precise and/or Slackware 14.0 packages will usually not work in Wheezy because (among other things) they have glibc 2.15 and Wheezy has glibc 2.13

I have tried your Pet in Slacko 5.5 as well as Puppy Precise 5.71, and Puppy Blue (Quirky Tahr) in disguise) and it updated according to a check as the new version.

Do not install the pet for Dpup on other Puppies.
Debian installs the libraries in /usr/lib, remaining old libraries in /lib which Ubuntu and Slackware place.
For Dpup is for Dpup, not for other Puppies.

[fantazam]

For Puppy Precise 5.7.1 i installed these 2 packages and now i have updated openssl "OpenSSL 1.0.1g 7 Apr 2014"

https://launchpad.net/~george-edison55/ ... 1_i386.deb

https://launchpad.net/~george-edison55/ ... 1_i386.deb

[mikeslr]

Thanks fantazam,

For the links to the debs you found for Precise 5.71. They also apparently work to update openssl in Upup raring 3.9.9.2 and upup precise 3.8.3.

mikeslr

[shinobar]

Ubuntu provides its official deb packages for the fix.
For the Precise Puppy, tahr, you can get them from the Puppy Package Manager.
Follow the post by balloon.
http://murga-linux.com/puppy/viewtopic. ... 6&start=18

EDIT: Ubuntu does not provide the fix packages for raring.
See next post by balloon.

[balloon]

Oops, there are instructions,
The update with the Ubuntu package is not intended for Upup raring.
Ubuntu 13.04 Raring Ring already for the package update expire.(January, 2014)

The update of OpenSSL by Upup raring needs original build correspondence.
When this cannot support, As for the Internet connection of Rpup raring, danger increases.

[balloon]

To the main very important person showing .iso,

These security issues have a big influence.
Puppy Linux thinks that it is hard to receive the attack for a client use,
Damage when we received an attack to Puppy is heavy.
There are many tendencies that Puppy Linux packages it and does not update.
This situation is not good.

It is necessary to examine the release of .iso which updated OpenSSL.
(include the Windows .exe version occurring partly)

[shinobar]

For all Precise Puppy:
http://shino.pos.to/linux/puppy/openssl ... tu5.12.pet

It contains 2 libraries under /lib from libssl1.0.0_1.0.1-4ubuntu5.12_i386.deb,
/etc/ssl/openssl.cnf from openssl_1.0.1-4ubuntu5.12_i386.deb

Type next command on the terminal to see the openssl updated.

Code: Select all

# openssl version -b
built on: Mon Apr  7 20:31:55 UTC 2014

'Apr 7, 2014' is OK.

[augras]

Hi shinobar,
Thanks for that .pet.
Can i ask to you to make the same thing for raring 3.9.9.2 by pemasu ? Ubuntu raring do not receive any support since 2014-01-27 and there is any .deb for this update. So, if you can it will be a very good thing for raring users.
Thanks,
Philippe

[balloon]

As for the .pet file which Shinobar showed, Ubuntu package was made for the cause.

Ubuntu 13.04 is the situation that a package of OpenSSL is not shown now.
This is that it is difficult to offer .pet packag of most suitable OpenSSL for Upup Raring.
I suggest to a person using Upup Raring to stop use, This use continuation is bad.

[augras]

Thanks for your answer balloon,
but with openssl source maybe is it possible to do something ? I don't know, i just ask.
Philippe

[slavvo67]

Shinobar:

Why does it still read 1.0.1 after the fix?

Best regards,

Slavvo67

[balloon]

I answer in place of Shinobar.

OpenSSL takes measures at 1.0.1g.
However, Ubuntu, Debian, Shackware does not adopt this and makes modifications with a patch.
This will be measures for stability to operate more application.

We begin this work with Precise. (Of the Japanese Edition release only Precise most newly)
Originally we confirmed that OpenSSL included in Precise obtained it from the Ubuntu package.
Shinobar brings the .pet package from the latest Ubuntu package to this.

The method to confirm the application of the patch refers to the past post of this topic.

[slavvo67]

Balloon:

That certainly makes sense. Thank you.

Of course, the next question would need to come from this. If I used Shinobar's patch and after noticing no change in version I proceeded to install the 2 deb packages listed, would that still be ok? Now, my SSL Version reads 1.0.1g and everything appears to be working fine. What are your thoughts on this?

Thanks,

Slavvo67

[greengeek]

For all Precise Puppy:
http://shino.pos.to/linux/puppy/openssl ... tu5.12.pet

It contains 2 libraries under /lib from libssl1.0.0_1.0.1-4ubuntu5.12_i386.deb,
/etc/ssl/openssl.cnf from openssl_1.0.1-4ubuntu5.12_i386.deb

I compared the contents of this Precise .pet with the package contents in the slacko repo and I don't understand why there is such a big difference - this pet for Precise has very few files, but the slacko one has many many files and renames and deletions (of certificates etc). I would have expected them to be quite similar. Does anyone know why the number of files is so different? For slacko could i maybe just grab the slack14 openssl.cnf and the 2 slack14 libs, just like in the Precise pet or is there a good reason why the slack14 packages have so much stuff in them??

EDIT : A list of the files included in the slack package can be found 2/3 of the way down the page here:
http://pkgs.org/slackware-14.0/slackwar ... 0.txz.html
(keep clicking the "show more" button)

[shinobar]

openssl-fix for all Precise Puppy:
made of openssl/libssl 1.0.1-4ubuntu5.14 from Ubuntu precise repo, libssl0.9.8k-7ubuntu8.18 from lucid repo.
http://shino.pos.to/party/bridge.cgi?pu ... tu8.18.pet
Remove openssl-fix-1.0.1-4ubuntu5.12.pet before if you already installed it.

[bigpup]

OpenSSL Security Advisory [05 Jun 2014]

http://www.openssl.org/news/secadv_20140605.txt

The update is already listed in Slacko 5.7 Updates Manager.

openssl-1.0.1h

[oldyeller]

Is also affecting dpup wheezy?

[OscarTalks]

Is also affecting dpup wheezy?

Hello oldyeller,

I did try to compile openssl-1.0.1h for Dpup Wheezy.
It is here:-
http://smokey01.com/OscarTalks
Hope I got it right. I haven't seen an official Debian version anywhere, but maybe there is one and I just haven't spotted it. Folks may wish to try my one but not in other Puppies and take the usual precautions beforehand. One thing I have noticed is that some programs will warn in terminal that "No version information available" if they were compiled against the earlier version but they still seem to run perfectly well.

[oldyeller]

Thanks, will give it a go

Cheers