Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 27 Aug 2014, 09:31
All times are UTC - 4
 Forum index » Off-Topic Area » Security
OpenSSL software risk
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 2 [21 Posts]   Goto page: Previous 1, 2
Author Message
ThoriumBlvd


Joined: 04 Oct 2013
Posts: 123
Location: N.E. USA

PostPosted: Sat 12 Apr 2014, 06:30    Post subject:  

8-bit wrote:
If I have updated openssl on Puppy and I connect to a site whose server is still using an older version, which takes priority?
In other words, would I still be at risk to the heartbleed problem?


Consider the situation as a secure transaction. If EITHER side is vunerable, then BOTH sides are at risk. IOW, If the client is vunerable then the passwd and Client ID are at risk. As you might suspect this can be a major problem doing business on-line, banking, etc. If the server is vunerable ALL CLIENT data submitted is vunerable. As one can see BOTH parties need protection or the link itself is vunerable.

BTW anyone using Slacko-55XL needs the update, the version included is 101e.

Puppy Button --> System --> Updates Manager (from Slackware)

_________________

Back to top
View user's profile Send private message 
solo


Joined: 14 Nov 2013
Posts: 126

PostPosted: Sun 13 Apr 2014, 15:32    Post subject:  

Yes hello!

I may not know a lot about this stuff, but as a computer user I have to say the way this Heartbleed stuff is playing out does not exactly instill confidence on my end.
How can this 'just' be a server-side problem if we are talking about a way of establishing a secure connection between the server AND the client?
How is that things are all fixed when we only patch the servers, while every regular computer user who has this software running should do....nothing?

No. My common sense tells me that is not good enough.

Now, I run Precise Puppy 5.7.1, so I need an OpenSSL update for Ubuntu Precise. And I found it here:
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12
Am I correct in assuming that the only thing I have to download from this page is the openssl_1.0.1-4ubuntu5.12.debian.tar.gz, unpack it and install it?
My current OpenSSl version is 1.0.1. from March 2012.

Thank you in advance for any advice.
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 8213

PostPosted: Sun 13 Apr 2014, 16:02    Post subject:  

You are as likely to need an update to keep software like curl and pidgin happy when servers change their openSSL and gnuTLS arrangements breaking existing software.

MIke
Back to top
View user's profile Send private message 
solo


Joined: 14 Nov 2013
Posts: 126

PostPosted: Sun 13 Apr 2014, 16:12    Post subject:  

Well there you go.

Took a peek in those update packages and understood immediately that an easy update would not be as clean cut as replacing one executable with another.
Oh well....
Back to top
View user's profile Send private message 
Moat

Joined: 16 Jul 2013
Posts: 177

PostPosted: Sun 13 Apr 2014, 17:41    Post subject:  

Hey Solo - FWIW...

As per baloon's info for Precise 5.7.1 posted in this thread - http://murga-linux.com/puppy/viewtopic.php?t=93076&start=15 - I updated my 5.7.1's PPM and re-installed, right over the top of the old, openssl_1.0.1 and libssl1.0.0_1.0.1 from the PPM.

Then entering 'openssl version -a' in a terminal displays the following, likely indicating it's the same "version", but fixed/updated on April 7th 2014 -

sh-4.1# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:31:55 UTC 2014
platform: debian-i386
etc...

I'm just going to assume that's the case, as I'm not too worried about it from a home-user's end, anyways.

Bob
Back to top
View user's profile Send private message 
solo


Joined: 14 Nov 2013
Posts: 126

PostPosted: Mon 14 Apr 2014, 03:34    Post subject:  

Thank you very much for that Moat.

It may be that some people find my reaction bit over the top, but perhaps that is the type of paranoia one develops after being a Windows-user for a long time.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 2 [21 Posts]   Goto page: Previous 1, 2
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0557s ][ Queries: 11 (0.0095s) ][ GZIP on ]