CVE-2014-0160 OpenSSL Heartbleed

[balloon]

A bug of OpenSSL is discovered and becomes noisy now.

http://heartbleed.com/
http://techcrunch.com/2014/04/07/massiv ... -internet/
http://www.openssl.org/news/secadv_20140407.txt

As for the contents, "main memory is released".
I consider that this has a great effect on Puppy using Frugal.
Frugal saves a file in main memory structurally.
In other words this problem might let the contents of the file make outside release.
It is necessary to make the latest edition of OpenSSL a package.

[balloon]

Target OpenSSL is 1.0.1 - 1.0.1f. Before 1.0.0 version is inapplicable.
Target Puppy version (latest only):

• Precise 5.7.1 (OpenSSL 1.0.1)
• Slacko 5.7 (OpenSSL 1.0.1f)

Wary and Racy 5.5 is inapplicable (OpenSSL 1.0.0d)

(The .pet package which I showed here was updated.
Please be careful about these later sentences)

[bigpup]

In Slacko 5.7

The "Updates Manager" will have the openSSL 1.0.1g files for download and install.

[ThoriumBlvd]

sorry for the X-post, but how can we ID the version in use? mine only says version 1 (SYSV) in properties.

[bigpup]

Did you try this:

run a terminal, input the command:

Code: Select all

openssl version

[balloon]

About pet package showing,
A problem may occur by application to treat SSL under the influence by the place for library.
Please be in particular careful about devx-related application movement.
When you discovered some problem, please announce it here.

There is no update plan of the package at a stage contributing this.

[watchdog]

I compiled on my own openssl-1.0.1g in precise 5.7.1 with:

Code: Select all

./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install

I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.

[01micko]

Code: Select all

./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install

Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.

I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.

That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.

The "Updates Manager" will have the openSSL 1.0.1g files for download and install.

True. However you may get a "failed" message. This is because the mirrors haven't caught up yet. This will be resolved in the next 24hrs I expect, however, since the heartbleed bug is mostly server side it may take longer. Anyone notice a large slow down in traffic speeds? I will add more mirrors at some point to default slacko for more choice. I added aarnet to my install and it worked fine as the mirror has caught up.

[watchdog]

Code: Select all

./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install

Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.

Sorry. I have misunderstood the OpenSSL security advisory:

http://www.openssl.org/news/secadv_20140407.txt

I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.

That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.

Thanks for the explanation. I have learned something new to me.

[01micko]

Sorry. I have misunderstood the OpenSSL security advisory:

http://www.openssl.org/news/secadv_20140407.txt.

No need for apologies. Glad you learned something. I didn't mean to come across harsh.. it's what happens when you bang your head on a thousand word essay.

[8-bit]

In Blue Pup version 3, I get this for version of openssl.

OpenSSL 1.0.1f 6 Jan 2014

I do not know what f in the version represents though.

[balloon]

In Blue Pup version 3, I get this for version of openssl.

OpenSSL 1.0.1f 6 Jan 2014

I do not know what f in the version represents though.

Unfortunately it is the object of this problem.
Please try .pet package.

[ally]

thanks balloon

working well on slacko 5.7

[balloon]

In the case of Precise, there is the choice to introduce .deb package of Ubuntu into.
However, Puppy was not able to put latest OpenSSL as a result that I tried the introduction of the .deb package.
This correspondence is offered with a patch in Ubuntu.
It is for this purpose to have had to make .pet package.

[mavrothal]

it's what happens when you bang your head on a thousand word essay.

Because they are too few or too many?...

[chillinfart]

In Slacko 5.7

The "Updates Manager" will have the openSSL 1.0.1g files for download and install.

OpenSSl 1.0.1g now available from official Slackware repo.

Anyway, thanks balloon for hotfix.

[starhawk]

Just installed (successfully) the Slackware 14 *.txz for this, found at http://pkgs.org/slackware-14.0/slackwar ... 0.txz.html -- X-Slacko 1.1 has OpenSSL 1.0.1e by default, and I'm pretty sure that's an affected version.

[balloon]

Because the non-application of the library was discovered in OpenSSL of the .pet file,
I stopped an exhibition once.
Because an application state changes by a version of OpenSSL,
I cannot produce an appropriate package.
The person knowing a lot about a factpack of OpenSSL demands support.

As there is already a contribution,
There seems to be the means to apply the following package:
http://pkgs.org/download/openssl

[balloon]

When you put .deb package in Precise and apply the latest edition of OpenSSL normally, it is in this condition:

Code: Select all

sh-4.1# openssl version
OpenSSL 1.0.1 14 Mar 2012
sh-4.1# openssl version -b
built on: Mon Apr  7 20:31:55 UTC 2014

Please be careful about coping by a patch application not version update in Ubuntu.

The Japanese Edition member confirmed that the update from a Puppy Package Manager was possible.
At this chance you update a factpack and it is the latest and will have it.
After having started of Puppy Package Manager,
Configure package manager - Update now (Reference Attachment File)
The package to apply is openssl_1.0.1 and libssl1.0.0_1.0.1.

[bigpup]

balloon,

Thanks for posting about this and offering a fix!