GnuTLS and other recent Linux security bugs

For discussions about security.
Post Reply
Message
Author
User avatar
6502coder
Posts: 677
Joined: Mon 23 Mar 2009, 18:07
Location: Western United States

GnuTLS and other recent Linux security bugs

#1 Post by 6502coder »

Here are 3 links to very recent ZDnet articles. Can a knowledgeable guru comment on whether Puppy Linux users are at risk and what the prospects of getting fixes might be? I guess that Precise Puppy users might be able to get fixes from the Ubuntu repos, but what about Wary/Racy and 4.x users?

The uncertainty about getting fixes for these kinds of bugs is about the only thing that makes me hesitate to recommend Puppy more often.

"The security team behind the Debian distro are urging users to upgrade their Linux packages after patching a newly-found flaw in the Linux kernel...."

http://www.zdnet.com/patch-ready-for-ne ... 000030294/

"New OpenSSL breach is no Heartbleed, but needs to be taken seriously"

http://www.zdnet.com/new-openssl-breech ... TRE17cfd61

"Linux PCs running Ubuntu, Debian, and RedHat and an unknown number of applications are at risk again after researchers discovered a critical flaw in the GnuTLS secure communications library..."

http://www.zdnet.com/another-serious-gn ... 000030205/

User avatar
balloon
Posts: 56
Joined: Thu 03 Oct 2013, 03:45
Location: Miyagi, Japan

#2 Post by balloon »

When Heartbleed was shown, I took action about update of OpenSSL.
This is because it judged Heartbleed to have a big adverse effects for Puppy.
There is no problem convinced that the correspondence is necessary for the recent security issues for the moment.

The versions such as Precise, Lucid(Ubuntu), slacko(Slackware) and dpup(Debian) are updated by a package of reference distribution.
The update of the problem package is possible using of "Puppy Package Manager" about these.

Because we can update a package in "apt", we do not have to make a problem about DebianDog.

Attention:
server is targeted for the update of the package now about Lucid.
Therefore the packages such as OpenSSL can install an updated latest edition package.
[b]BALLOON a.k.a. Fu-sen.[/b] from Japan | ã￾µã￾†ã￾›ã‚“ Fu-sen. (old: 2 8 6)

User avatar
OscarTalks
Posts: 2196
Joined: Mon 06 Feb 2012, 00:58
Location: London, England

#3 Post by OscarTalks »

When the heartbleed bug was announced I compiled openssl-1.0.1g in Dpup Wheezy.

I later discovered that curl (and libcurl) was complaining about "no version information available" for libssl.so.*.

I don't think this is a fatal error but I was compiling icecast which depends on libcurl for directory listing and that feature wasn't working. Not sure if there is perhaps some other problem with curl as well.

Anyway, I compiled the latest curl-7.37.0 and that seems to have fixed everything.

So just to say that for anyone upgrading openssl, keep on the lookout to make sure other stuff is not getting broken. If I upgrade openssl to 1.0.1h now I will have to check curl again I suppose.

LATER:-
I compiled openssl-1.0.1h and installed it and my curl / libcurl package still seems to be OK. I have uploaded it to http://smokey01.com/OscarTalks but please NOTE that it is only for Dpup Wheezy and not other Pups.
Oscar in England
Image

Post Reply