rufwoof wrote:belham2 wrote:Hi rg66n & everyone,
Have a question: I just booted up my X-Slacko-4.2 with XFCE, and noticed the openssl was still running openssl-1.0.1t.
So I opened Puppy Package Manager, updated, repos, and Slacko (14.1) had the openssl-1.0.1u patches. I installed them.
But I noticed the repository (14.1) doesn't have the latest openssl update from ~ 3 weeks ago, the openssl-1.0.1v. I went to the openssl website (been doing this alot recently, trying to get my & my family's pups up-to-date and secure), and this is what it says, among other things:
"Downloads
Our development is maintained in a git repository, which is accessible over the network and cloned on GitHub, at https://github.com/openssl/openssl. Please familiarize yourself with the license.
The table below lists the latest releases for every branch. (For an explanation of the numbering, see our release strategy.) All releases can be found at /source/old. A list of mirror sites can be found here.
Note: The latest stable version is the 1.1.0 series of releases. Also available is the 1.0.2 series. This is also our Long Term Support (LTS) version (support will be provided until 31st December 2019). The 1.0.1 version is currently only receiving security bug fixes and all support will be discontinued for this version on 31st December 2016. The 0.9.8 and 1.0.0 versions are now out of support and should not be used....."
Um, what are we users supposed to do? I assume (at least I was told today by peebee and sailor in another post) that up-to-date openssl's are in the slacko 14.2 repo, but I guess not here in the 14.1 repo. Do i have to delete my X-slacko XFCE install and wait for a new, updated ISO?? I know I can try to compile the openssl myself and install it, but my experiments (
with other pup's, like peebee's xenial stuff and barry's quirky 8.0) at compiling over the last few days have been hit or miss.
Can I have some advice about this?? Rg66? Or, maybe, Geoffrey----any chance you could do an openssl-1.0.1v compile & upload?? (
I hate asking you 'cause you already do so freaking much for Carolina-related things )
I just know openssl stuff is nothing to fool around with, especially with family members zooming all over the web, chatting, uploading, downloading, and into heavens-knows-what websites.....I figure it is wise to at least keep openssl (and the browsers) up-to-date.
I'm just not sure where to turn on the Murga forums anymore as no one, not even builders (except a few like Slavvo and Watchdog), seem to be keeping up-to-date with this very important component. They just say "
check the repo!", and of it isn't there, you're out of luck, sucka
!
I'm running Debian Stable with the security repository included in the updates set and currently that's running with openssl 1.0.1t
# openssl version
OpenSSL 1.0.1t 3 May 2016
Synaptic shows update 5 (1.0.1t-1+deb8u5) and a (first part of) changelog of
Code: Select all
openssl (1.0.1t-1+deb8u5) jessie-security; urgency=medium
* The patch for CVE-2016-2182 was missing a fix. (Closes: #838652, #838659)
-- Kurt Roeckx <kurt@roeckx.be> Fri, 23 Sep 2016 19:48:42 +0200
openssl (1.0.1t-1+deb8u4) jessie-security; urgency=medium
* Fix CVE-2016-2177
* Fix CVE-2016-2178
* Fix CVE-2016-2179
* Fix CVE-2016-2180
* Fix CVE-2016-2181
* Fix CVE-2016-2182
* Fix CVE-2016-2183
* Fix CVE-2016-6302
* Fix CVE-2016-6303
* Fix CVE-2016-6304
* Fix CVE-2016-6306
-- Kurt Roeckx <kurt@roeckx.be> Wed, 21 Sep 2016 21:58:48 +0200
openssl (1.0.1t-1+deb8u3) jessie; urgency=medium
[ Kurt Roeckx ]
* Fix length check for CRLs. (Closes: #826552)
Looks to me that 1.0.1t has been updated to account for the security issues that affected the prior version. Version 1.0.1u is only required in certain cases. From the openssl maintainers recent fixes only applied to 1.1.0a ... etc.
https://www.openssl.org/news/vulnerabilities.html
So running with a 1.0.1t looks as though that may be acceptable and updated to latest patches, depending upon the version that was previously being used/run, and according to what other programs may be installed (as I recall, when update 5 was installed a couple of weeks back there were a few other updated programs that came with that (that appeared to be related from what I briefly saw, but didn't take a great deal of interest/notice of)).
One of the main reasons I switched from pup to deb (frugally booted) is because of the easy eradication of updates/security patch concerns. apt-get update (to update the local repository), apt-get upgrade (to apply updates) ... and you're done. And running with the top of the tree (Debian in my case) best ensures whatever they're updating for the current stable/official version is most likely (very) ok. The downside being more (for me relatively inexpensive) disk space being used (full documentation set, full locale for 100's of locales ...etc).
Hi rufwoof,
Debian-based builds are a totally different thing----I don't even consider them in the same conversation with all other pup & pup-related builds when it comes to maintenance & ease of critical updates (as I have posted before & again posted in Fred's threads).
What is hard to understand is all the other pups. Builders, who do a fantastic job, intimate (when these questions are brought up, like I am doing now) intimate and/or tell everyone to "
go look what is in the respository...and if it's not there, you're SOL unless you want to compile it yourself". Too many builds I have seen (and personall used/tried) just shrug this stuff off, then all of a sudden you see some posters (concerned since openssl stuff is nothing to ever ignore) jump to life, like slavvo, like watchdog, like 8geee, rushing to get the openssl update (plus the GLIBC if it is necessary) patches out. You don't ever see this from other builders. There's never even a notification in their threads unless people like me start clamoring about it.
Understand I am not trying to be negative to the builders/maintainers. They do an incredible job and we'd have no pups in the first place without them. But that said, not everyone (like you and me, rufwoof) will download, say, a debian-live standard, and build our own system going forward from there---and never, ever have to worry about this security stuff. But since that isn't the case, I believe there needs to be some kind of thread warning system on murga by builders, warning people who come to builder's threads about critical security updates. Maybe put a large, colored alert notice in the first thread of that build, talking about the critical updates that the user should stay on top of if the builder can't do it, or of they can, this is what you do. Anybody remember the "bugfix" in Pup Tahr 6.0.5-----that was awesome!! Why can't that be continued and push throughout all large puppy & pup-related builds??
Instead, what you find on murga, is that many builders/ maintainers pass this responsibility off by saying it is the responsibility of both the user and--this is what kills me--it is the responsiblity of "the repo". Christ, repos do not have responsibilities. And users? Here we are wanting to attract new users to puppy's overall and this is what is occurring?
I know I am going to be hated and reviled for bringing this up, but I believe builders (especially the big ones on murga here) should follow the examples of other smaller ones (again, 8Geee, Slavvo and even Fred) that do this. I started a thread in the "Security" section some weeks back, and you can tell which builders who care (the ones who responded) and which who don't (the ones who didn't and still don't).
Anyway, rg66's Xslacko-XFCE build is great, and I was just posting here in hopes we could figure out what to do as the latest patch is the "v" version, but the slacko 14.1 repository only has the "u". So, I was asking whether we should just wait for a new ISO from rg66 (if he is doing one), or is it possible he can get an update out for this. After all, any and all openssl versions relying on "1.0.1" will be officially ended as end of this december. This is going to affect about, in my estimation, ~80% (possibly higher) of the pups in existence today.
To wit, asking peebee about getting the latest openssl in LXPupXenial32 yesterday, he answered with the "repo" response. Well, unless I am mistaken, it is impossible to update his Xenial builds UNLESS you pull down the updated openssl (and/or patch), re-compile it yourself, and install it. The Puppy Package Manager in LxPupXenial32, even with Xenial respositories checked, would not show the last two latest revisions of openssl as being offered (even with ubuntu's crazy way in how they update an existing openssl build, they actually do denote what that re-built build date is: but in PPM, as of today, that build date is two removed from the lastest).
How is that being secure? And how are users supposed to be aware??
There is so much time spent on compiling other things in the Murga puppy distros, even things to help arcane issues, yet when it comes to this security stuff that affects every user (especially security stuff like openssl and GLIBC----which I know, for GLIBC, is a b!tch to re-compile correctly, updating it without the update destroying a pup's current workings)....I just think something needs to change on murga.
Security has taken a back seat, and the attitude that seems to be intimated towards users is: "
well, as a user, if you can't stay on top of it yourself, then you shouldn't be using a pup..."
Like I said, I will be hated for bringing this up. But somebody has to...otherwise pup's will never expand into the great, wild known yonder of those multitudes of users who need a bit of help. I'm not asking for the world here, just asking that any pup builder/maintainer stay on top of the critical system updates for their users. And openssl should one of the ones at the very, very top. Unless, of course, if, no user of any pup distro ever uses it for browsing the Internet...
which in that case (or alternative world), since every pup user is a builder/coder/etc with no need for the Web, then there's zippo use to keep anything like openssl & other critical web-facing components up to date.