(old)Puppy Linux Discussion Forum

A new security update to openssl. If one has the prior version (1.0.1j 1.0.0o, or 0.9.88zc) there is at least one reason to upgrade. The "no-ssl3" fix can be worked-around, causing a denial of service (DoS). This latest version repairs that flaw. There is a write up in vunerabilities.

The tar.bz can be found here along with an "L" version addressing a bug in windows/mac not security-related.

**Edit** The above link to the download is for developers/programmers of Puppies other than Slacko. Puppies based on Slackware can view any needed D/L's in MENU--> SETUP--> Updates Manager. Appologies for the lack of clarity.

Lucky for me then that I got the k-version

I share my newly compiled packages.

openssl-0.9.8ze-p4-i486.pet:

https://copy.com/IFkdp4Q6p3yBmtSw

openssl_DEV-0.9.8ze-p4-i486.pet:

https://copy.com/Tr3DzjaU9Hv2gppG

openssl-1.0.0q-w5-i486.pet:

https://copy.com/AQLQAw0tDFPviRD6

openssl_DEV-1.0.0q-w5-i486.pet:

https://copy.com/64j4gNAfKr4qgDR4

Hi watchdog,

I greatly appreciate your efforts to maintain Puppy Linux as a safe computing environment, and especially that you share your hard work with others.

Thank you for your recent pets.

I explore many Puppy variations. At any time I usually have five or more Pups which I try to keep up to date. The "oldest" Ubuntu based is the original Lupu 5.28. The most recent, Unicorn. My "Slacko" based are Slacko 5.6, Banksy based on 5.6, and rufwoof's variant based, I believe, on Slacko 5.3.3. I also have Carolina-Vanguard Release 2.

As you know, applications built for one Pup variant may not be compatible in Pups built from other sources. So it would be helpful if your pets' description indicated which Pup variant they were built for, and perhaps in which other Pup variants they might properly function.

If I were to guess, it would be that openssl-0.9.8ze-p4-i486.pet should function in debian and ubuntu based Pups; while openssl-1.0.0q-w5-i486.pet should function in wary/racy/saluki and the Carolinas.

But that's just a guess.

Thanks in advance.

mikesLr

Slackware security advisories >> Ubuntu security notices << Pup requires manual update to stay current..

I don't profess to know much, but it surprises me that active members don't know where to look for these.

Furthermore, pay attention to what's on the table for each variant..

Semme wrote:Slackware security advisories >> Ubuntu security notices << Pup requires manual update to stay current..

I don't profess to know much, but it surprises me that active members don't know where to look for these.

Furthermore, pay attention to what's on the table for each variant..

Thanks, Semme.

I'm on slacko-6.0b right now, and the slackware package you mentioned above
installed itself "just by clicking on it".

BFN.

musher0

@mikeslr

I compiled openssl for the only two old puppies I mantain which have not patches in official repositories. They are puppy 4.31 (the packages should work in all puppies of 4.xx series) and wary-racy (the packages should work in every release of wary-racy). For the other puppies you can easily find updated openssl in official repositories of other distros. Slacko 5.3x is slackware 13.37 based so you should look at:

http://mirrors.slackware.com/slackware/ ... /packages/

(install patched openssl and openssl-solibs).

Lucid is ubuntu lucid based and you should look at:

http://packages.ubuntu.com/lucid-updates/allpackages

(install patched openssl and libssl).

And so on. For recent puppies whose official repositories are still mantained you can just update packages in PPM and reinstall openssl by PPM. Some recent puppy have quickpet-updates managers: in tahr you just run quickpet. I don't know now if slacko 5.6 or 5.7 slackware 14.0 based have openssl patches in update manager. I'm now back to wary: my first love. I hope it's more clear.

Posted at 412/421 Forever site.

http://sourceforge.net/projects/old412f ... t/download

Please excuse my manners. Thank you Watchdog for the update and your tireless vigilance supporting old Puppies.

The "no-ssl3" fix can be worked-around, causing a denial of service (DoS).

so since I am not running a server do I need to bother with these 'fixes' ?

mike

I am not an expert so I am asking to you. Why all linux distros provide openssl authomatic updates to our pcs for this patch? Is there a possibility that our puppy pcs take acting as servers as consequence of malicious software? I also use sometimes to boot an old puppy and to surf the internet without security fears mantaining an updated puppy only to enjoy playing with softwares and online banking. How much have you to take care for security bugs in puppy softwares and in what circumstances? Allthough I think having an updated openssl package is one more our choice.

Ok well from what I read this security flaw applies to server usage...it does not turn your system into a server. In other words for desktop usage/internet browsing it appears the update/fix is not required.

Just wanted to clarification before altering these core libraries.... I previously read the original problem did not apply to 0.9.8 but it appears this is no longer the case.

The bash update seems to be of similar nature...ie relevant to servers only.

mike

Not that I understand "all things Internet," correct. Unless you're running a server, fix *not* required. Sensing an unsatisfactory response to Mikes initial post, I'm all for challenging folks to think, question and understand for themselves whether they should overreact to these type of advisories.

• Q9: How can I prevent my personal computer from being used as a DDoS host?

Why bother? Because I possess a sense of responsibility.

I take precautions when necessary.... just trying to acertain if this is necessary. All info points to a server vunerability and takeover.

In the library where it appears to have no firewall... all ports are closed though....perhaps because I am not running a server.

mike

I am new to Puppy, and have Puppy 5.7.1 which I intend to use as portable desktop and to carry an encrypted file of financial information and passwords.

I have not figured out if openssl is part of that solution, but I checked my version Do I need to upgrade? If so, can I do it with the package manager?

My thanks in advance,

On yout version;
MENU --> Setup --> Updates from Slackware
This will enlighten.

To view your present version
Open Terminal
type openssl version
exit when done

Regards
8Geee

Hello all.

The revival of this thread prompted me to revisit the subject. So I compiled
openssl-1.0.2f on the DPup Wheezy I'm updating. This compilation should
work on any Puppy that has a (e)glibc of 2.13 or more.

(Typing in terminal will tell you which version of (e)glibc your Puppy is using.)

You can download it as pets:
https://www.adrive.com/public/Knut3A/openssl-1.0.2f.pet (main archive)
https://www.adrive.com/public/7avQ9B/op ... 2f_man.pet (separate man files)

... or as an sfs for any Puppy:
https://www.adrive.com/public/WJrAAh/openssl-1.0.2f.sfs

I don't expect anything fishy: it compiled fine from the source at the openssl site
and I tested it on my system -- but let me know if you experience any problems.

openssl-1.0.2f is the latest stable version at this time. A version 1.1.0 exists, but
it is still being tested, and the authors do not recommend it for general use yet.

Enjoy! BFN.

8Geee wrote:On yout version;
MENU --> Setup --> Updates from Slackware
This will enlighten.

To view your present version
Open Terminal
type openssl version
exit when done

Regards
8Geee

It is not clear to me if this was intended to help me decide if I need an upgrade, or directed at another post.
I posted my version (OpenSSL 1.0.1 14 Mar 2012 ) , and do not know which version is needed for Puppy 5.7.1 ( which is not the slackware version: do I care about updates from slackware?) I'm new to Puppy, enlightenment comes slowly!

I failed to plainly ask "Is openssl a good tool to encrypt a single file for later viewing on a flash drive install?'

appologies robert_m you are using debian-related. Nonetheless, there 'should' be some update available thru deb-repos if needed. Essentially serrver-certificates on both ends are affected.

8Geee? robert_m?

Please get new glasses? Or maybe you unlearned how to read?

I spent over an hour compiling and uploading the most recent stable openssl for
you guys -- on a Debian Wheezy compatible pup.

You could say: "thank you."


@Robert:

Yes my package should be compatible with Puppy Precise 5.7.1 since that
PrecisePup uses glibc 2.15, a higher version retro-compatible with the glibc 2.13
that I compiled your openssl on.

Another reason is that ubuntu is derived from debian, and therefore ubuntu-type
Puppies are also Debian-compatible Puppies.

The only real way to know is to try it. That's the way it is in PuppyLinux. It can't
break anything. There may be some other dependency I am not aware of on
Precise, but unfortunately, I don't read crystal balls for a living.

If it doesn't work properly, just send me feedback and I'll see what I can do.

Best regards to both of you.