Openssl update to 1.0.1k

For discussions about security.
Message
Author
User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

Openssl update to 1.0.1k

#1 Post by 8Geee »

A new security update to openssl. If one has the prior version (1.0.1j 1.0.0o, or 0.9.88zc) there is at least one reason to upgrade. The "no-ssl3" fix can be worked-around, causing a denial of service (DoS). This latest version repairs that flaw. There is a write up in vunerabilities.

The tar.bz can be found here along with an "L" version addressing a bug in windows/mac not security-related.

**Edit** The above link to the download is for developers/programmers of Puppies other than Slacko. Puppies based on Slackware can view any needed D/L's in MENU--> SETUP--> Updates Manager. Appologies for the lack of clarity.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

Scooby
Posts: 599
Joined: Sat 03 Mar 2012, 09:04

#2 Post by Scooby »

Lucky for me then that I got the k-version :D

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#3 Post by watchdog »

I share my newly compiled packages.

openssl-0.9.8ze-p4-i486.pet:

https://copy.com/IFkdp4Q6p3yBmtSw

openssl_DEV-0.9.8ze-p4-i486.pet:

https://copy.com/Tr3DzjaU9Hv2gppG

openssl-1.0.0q-w5-i486.pet:

https://copy.com/AQLQAw0tDFPviRD6

openssl_DEV-1.0.0q-w5-i486.pet:

https://copy.com/64j4gNAfKr4qgDR4

User avatar
mikeslr
Posts: 3890
Joined: Mon 16 Jun 2008, 21:20
Location: 500 seconds from Sol

Thanks for the pets, but

#4 Post by mikeslr »

Hi watchdog,

I greatly appreciate your efforts to maintain Puppy Linux as a safe computing environment, and especially that you share your hard work with others.

Thank you for your recent pets.

I explore many Puppy variations. At any time I usually have five or more Pups which I try to keep up to date. The "oldest" Ubuntu based is the original Lupu 5.28. The most recent, Unicorn. My "Slacko" based are Slacko 5.6, Banksy based on 5.6, and rufwoof's variant based, I believe, on Slacko 5.3.3. I also have Carolina-Vanguard Release 2.

As you know, applications built for one Pup variant may not be compatible in Pups built from other sources. So it would be helpful if your pets' description indicated which Pup variant they were built for, and perhaps in which other Pup variants they might properly function.

If I were to guess, it would be that openssl-0.9.8ze-p4-i486.pet should function in debian and ubuntu based Pups; while openssl-1.0.0q-w5-i486.pet should function in wary/racy/saluki and the Carolinas.

But that's just a guess.

Thanks in advance.

mikesLr

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#5 Post by Semme »

Slackware security advisories >> Ubuntu security notices << Pup requires manual update to stay current..

I don't profess to know much, but it surprises me that active members don't know where to look for these.

Furthermore, pay attention to what's on the table for each variant..

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#6 Post by musher0 »

Semme wrote:Slackware security advisories >> Ubuntu security notices << Pup requires manual update to stay current..

I don't profess to know much, but it surprises me that active members don't know where to look for these.

Furthermore, pay attention to what's on the table for each variant..
Thanks, Semme.

I'm on slacko-6.0b right now, and the slackware package you mentioned above
installed itself "just by clicking on it".

BFN.

musher0
Last edited by musher0 on Mon 26 Jan 2015, 06:26, edited 1 time in total.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#7 Post by watchdog »

@mikeslr

I compiled openssl for the only two old puppies I mantain which have not patches in official repositories. They are puppy 4.31 (the packages should work in all puppies of 4.xx series) and wary-racy (the packages should work in every release of wary-racy). For the other puppies you can easily find updated openssl in official repositories of other distros. Slacko 5.3x is slackware 13.37 based so you should look at:

http://mirrors.slackware.com/slackware/ ... /packages/

(install patched openssl and openssl-solibs).

Lucid is ubuntu lucid based and you should look at:

http://packages.ubuntu.com/lucid-updates/allpackages

(install patched openssl and libssl).

And so on. For recent puppies whose official repositories are still mantained you can just update packages in PPM and reinstall openssl by PPM. Some recent puppy have quickpet-updates managers: in tahr you just run quickpet. I don't know now if slacko 5.6 or 5.7 slackware 14.0 based have openssl patches in update manager. I'm now back to wary: my first love. I hope it's more clear.

darry1966

#8 Post by darry1966 »


darry1966

#9 Post by darry1966 »

Please excuse my manners. Thank you Watchdog for the update and your tireless vigilance supporting old Puppies.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#10 Post by mikeb »

The "no-ssl3" fix can be worked-around, causing a denial of service (DoS).
so since I am not running a server do I need to bother with these 'fixes' ?

mike

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#11 Post by watchdog »

I am not an expert so I am asking to you. Why all linux distros provide openssl authomatic updates to our pcs for this patch? Is there a possibility that our puppy pcs take acting as servers as consequence of malicious software? I also use sometimes to boot an old puppy and to surf the internet without security fears mantaining an updated puppy only to enjoy playing with softwares and online banking. How much have you to take care for security bugs in puppy softwares and in what circumstances? Allthough I think having an updated openssl package is one more our choice.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#12 Post by mikeb »

Ok well from what I read this security flaw applies to server usage...it does not turn your system into a server. In other words for desktop usage/internet browsing it appears the update/fix is not required.

Just wanted to clarification before altering these core libraries.... I previously read the original problem did not apply to 0.9.8 but it appears this is no longer the case.

The bash update seems to be of similar nature...ie relevant to servers only.

mike

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#13 Post by Semme »

Not that I understand "all things Internet," correct. Unless you're running a server, fix *not* required. Sensing an unsatisfactory response to Mikes initial post, I'm all for challenging folks to think, question and understand for themselves whether they should overreact to these type of advisories. :D Why bother? Because I possess a sense of responsibility.

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#14 Post by mikeb »

I take precautions when necessary.... just trying to acertain if this is necessary. All info points to a server vunerability and takeover.

In the library where it appears to have no firewall... all ports are closed though....perhaps because I am not running a server.

mike

robert_m
Posts: 18
Joined: Tue 02 Feb 2016, 05:20
Location: Monterey Bay, California

#15 Post by robert_m »

I am new to Puppy, and have Puppy 5.7.1 which I intend to use as portable desktop and to carry an encrypted file of financial information and passwords.

I have not figured out if openssl is part of that solution, but I checked my version

Code: Select all

# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 15 15:27:09 UTC 2013
platform: debian-i386
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
Do I need to upgrade? If so, can I do it with the package manager?

My thanks in advance,
- Rob M.
Puppy in My Pocket

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#16 Post by 8Geee »

On yout version;
MENU --> Setup --> Updates from Slackware
This will enlighten.

To view your present version
Open Terminal
type openssl version
exit when done

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#17 Post by musher0 »

Hello all.

The revival of this thread prompted me to revisit the subject. So I compiled
openssl-1.0.2f on the DPup Wheezy I'm updating. This compilation should
work on any Puppy that has a (e)glibc of 2.13 or more.

(Typing

Code: Select all

ldd --version
in terminal will tell you which version of (e)glibc your Puppy is using.)

You can download it as pets:
https://www.adrive.com/public/Knut3A/openssl-1.0.2f.pet (main archive)
https://www.adrive.com/public/7avQ9B/op ... 2f_man.pet (separate man files)

... or as an sfs for any Puppy:
https://www.adrive.com/public/WJrAAh/openssl-1.0.2f.sfs

I don't expect anything fishy: it compiled fine from the source at the openssl site
and I tested it on my system -- but let me know if you experience any problems.

openssl-1.0.2f is the latest stable version at this time. A version 1.1.0 exists, but
it is still being tested, and the authors do not recommend it for general use yet.

Enjoy! BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

robert_m
Posts: 18
Joined: Tue 02 Feb 2016, 05:20
Location: Monterey Bay, California

#18 Post by robert_m »

8Geee wrote:On yout version;
MENU --> Setup --> Updates from Slackware
This will enlighten.

To view your present version
Open Terminal
type openssl version
exit when done

Regards
8Geee
It is not clear to me if this was intended to help me decide if I need an upgrade, or directed at another post.
I posted my version (OpenSSL 1.0.1 14 Mar 2012 ) , and do not know which version is needed for Puppy 5.7.1 ( which is not the slackware version: do I care about updates from slackware?) I'm new to Puppy, enlightenment comes slowly!

I failed to plainly ask "Is openssl a good tool to encrypt a single file for later viewing on a flash drive install?'
- Rob M.
Puppy in My Pocket

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#19 Post by 8Geee »

appologies robert_m you are using debian-related. Nonetheless, there 'should' be some update available thru deb-repos if needed. Essentially serrver-certificates on both ends are affected.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#20 Post by musher0 »

8Geee? robert_m?

Please get new glasses? Or maybe you unlearned how to read?

I spent over an hour compiling and uploading the most recent stable openssl for
you guys -- on a Debian Wheezy compatible pup.

You could say: "thank you."


@Robert:

Yes my package should be compatible with Puppy Precise 5.7.1 since that
PrecisePup uses glibc 2.15, a higher version retro-compatible with the glibc 2.13
that I compiled your openssl on.

Another reason is that ubuntu is derived from debian, and therefore ubuntu-type
Puppies are also Debian-compatible Puppies.

The only real way to know is to try it. That's the way it is in PuppyLinux. It can't
break anything. There may be some other dependency I am not aware of on
Precise, but unfortunately, I don't read crystal balls for a living.

If it doesn't work properly, just send me feedback and I'll see what I can do.

Best regards to both of you.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

Post Reply