"Low", "Medium" & “High

For discussions about security.
Post Reply
Message
Author
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

"Low", "Medium" & “High

#1 Post by belham2 »

...jeez, they are already cracking 1.1.0 openssl branch?? That was just released in August! Remember, 1.0.1 branch support stops the end of this December. More than a quite a few pups in Ally's repositories are affected....wonder how many users actually know about this or will ever know until it is....???

I sometimes think, Flash, the Murga-site needs some kind of popup or colored red-heading warning for the causal user (of the many puppies) who only sporadically drop by. These people may never know (until it is too late) that they may already have been pwned using a not critically updated puppy OS. These people either don't have the ability and/or time to stay on top of every security issue a puppy can present. Even when they try to go to their OS thread, where many of the builders/maintainers put critical updates (like openssl) in the thread, the updates are not made clear that they are even there. Color, bold, loud in your face notices would help mitigate that.

Some day, I am afraid, this is all going to come back and bite puppy land overall. It only takes one nasty instance, from a widely used distro, for all those years of puppy & pup-related goodwill to disappear. But, alas, guess this is just my opinion and maybe I am too paranoid.

Still, openssl is serious, despite what some here on murga think they know about how attacks to it operate.......those attacks, continually evolving, are the number one vector hackers use to go after any online financial online info moving around..... :(

http://www.securityweek.com/openssl-pat ... rability-0
Last edited by belham2 on Thu 02 Nov 2017, 17:16, edited 1 time in total.
Top
bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#2 Post by bark_bark_bark »

I think it's time though that we made the switch from openssl to LibreSSL.
....
Top
User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#3 Post by rufwoof »

As they said, the OpenSSL team have released a update/fix today https://www.openssl.org/source/ ... but as of yet that's not rolled through the Debian mirrors. I did get some other updates today when I ran DebianDog apt-get update; apt-get upgrade, but still showing 1.0.1t in synaptic and not the 1.0.1u newer version.
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#4 Post by watchdog »

I have tested during a long time the previous release of openssl-1.0.2h in puppy 4.31 and wary-racy so I hope for the best sharing the new compiled openssl-1.0.2i for puppy4 and wary.

openssl-1.0.2i-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2i_DEV-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2i_DOC-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2i-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2i_DEV-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2i_DOC-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing
Top
User avatar
6502coder
Posts: 677
Joined: Mon 23 Mar 2009, 18:07
Location: Western United States

#5 Post by 6502coder »

Thanks watchdog. 1.0.2i has apparently already been superceded by 1.0.2j, in light of CVE-2016-7052. Does this affect your Puppy4 and Wary PETs?
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#6 Post by watchdog »

6502coder wrote:Thanks watchdog. 1.0.2i has apparently already been superceded by 1.0.2j, in light of CVE-2016-7052. Does this affect your Puppy4 and Wary PETs?
CVE-2016-7052 (OpenSSL advisory) [Moderate severity] 26th September 2016:
This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016. A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. Reported by Bruce Stephens and Thomas Jakobi.

Fixed in OpenSSL 1.0.2j (Affected 1.0.2i)
You can test your browser with your current openssl at:

https://www.ssllabs.com/ssltest/viewMyClient.html

I'm now in racy using palemoon and openssl-1.0.2i and my result is:
Your user agent has good protocol support.
I'll compile openssl-1.0.2j in puppy 4.31 and wary in my spare time sharing the packages.
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#7 Post by watchdog »

openssl-1.0.2j-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2j_DEV-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2j_DOC-p4-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2j-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2j_DEV-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2j_DOC-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing
Top
User avatar
6502coder
Posts: 677
Joined: Mon 23 Mar 2009, 18:07
Location: Western United States

#8 Post by 6502coder »

Thanks again, watchdog. My apologies, I should have noticed that the "j" fix was only a moderate severity issue. You da man!
Top
Robert123
Posts: 362
Joined: Fri 20 May 2016, 05:22
Location: Pacific

Watchdog thanks

#9 Post by Robert123 »

Hi Watchdog,

Many thanks for the openssl update. Want to take this opportunity to thank you for the work you do for Wary and Puppy 4 and sacrificing a lot of your time to do so.

Robert
Devuan Linux, Stardust 013 (4.31) updated [url]https://archive.org/details/Stardustpup013glibc2.10[/url]
s57(2018)barebone[url]https://sourceforge.net/projects/puppy-linux-minimal-builds/files/s57%282018%29barebones.iso/download[/url]
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#10 Post by watchdog »

The openssl-1.0.2j-w5 update works for me also in lucid. You can test it in other usupported puppies. For still supported puppies you can wait and grab the needed updates from debian-slackware-ubuntu repositories.
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

Re: Watchdog thanks

#11 Post by watchdog »

Robert123 wrote:Hi Watchdog,

Many thanks for the openssl update. Want to take this opportunity to thank you for the work you do for Wary and Puppy 4 and sacrificing a lot of your time to do so.

Robert
Many thanks. Puppy is my hobby and so I play with it. But we all might thank the developers of puppy (BK, 01micko, 666philb, jamesbond and the others we know) who put their skills in this enterprise.
Top
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#12 Post by belham2 »


Watchdog, been meaning to post and reiterate what Robert123 said. 'Thank you' for compiling these.

I've a question about these: is there any reason the wary (w5) versions you compiled would not work in other 32-bit pups? Say like Micko's & Peebee's pups over the past year (specifically on the ones where they use Ubuntu Xenial as the base)? Or do your compiles only work for the Slacko-based pups??

I know you said we can try them in "other pup distros", but would I wreck a pup just by installing a compiled ssl.pet? (sorry if this sounds and/or is a stupid question).

Thanks for any reply!!
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#13 Post by watchdog »

belham2 wrote: I've a question about these: is there any reason the wary (w5) versions you compiled would not work in other 32-bit pups? Say like Micko's & Peebee's pups over the past year (specifically on the ones where they use Ubuntu Xenial as the base)? Or do your compiles only work for the Slacko-based pups??
I know that wary's libraries are built in T2 (linux from scratch). My experience suggests that what is compiled in wary has a large compatibility in more recent puppies. I tested my openssl-1.0.2j-w5 also in lucid and it works. Now I'm using old puppies and I have not tested my openssl in more recent puppies because there is no need. I think that when you have an official mantained repository where you can grab what you need then it is more secure to use the pathched openssl they propose (like ubuntu's packages). My compiled openssl-1.0.2j is intended for that puppies where there are not alternative packages to install to get a bugfixed openssl.
I know you said we can try them in "other pup distros", but would I wreck a pup just by installing a compiled ssl.pet? (sorry if this sounds and/or is a stupid question).
I test new packages with the usual care in my puppies: make a backup of the savefile and keep the new installed test packages only if they work after a careful testing. Someone says that core libraries should not be upgraded: I'm desperate because I don't want to abandon my old puppies for the security bugs. There is a lot of old hardware out there which needs old puppies.
Top
slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#14 Post by slavvo67 »

Thanks for the notification on this. I just compiled a pet for RUXerus64, which will also work in Barry's Xerus64 under the RUXerus64 link:

http://www.murga-linux.com/puppy/viewto ... 633#926633
Top
sindi
Posts: 1087
Joined: Sun 16 Aug 2009, 13:30
Location: Ann Arbor MI USA

openssl update lupu 5.2.5

#15 Post by sindi »

Installed the j update and nothing broke that I know of. lupu 5.2.5
(which I use I think because it supports orinoco wifi cards).
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

openssl-1.0.2k-w5-i486.pet

#16 Post by watchdog »

Quickly tested.

openssl-1.0.2k-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl_DEV-1.0.2k-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl_DOC-1.0.2k-w5-i486.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

Code: Select all

# openssl version -a
OpenSSL 1.0.2k  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-elf
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/ssl"
EDIT: new openssl-1.0.2l released on May 2017 compiled for puppy4 and wary5.

openssl-1.0.2.l-i486-w5.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl_DEV-1.0.2l-i486-w5.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl-1.0.2l-i486-p4.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing

openssl_DEV-1.0.2l-i486-p4.pet:

https://drive.google.com/file/d/0B9iMb4 ... sp=sharing
Last edited by watchdog on Sat 29 Jul 2017, 06:07, edited 1 time in total.
Top
User avatar
corvus
Posts: 153
Joined: Fri 12 Jun 2015, 18:00
Location: In the peninsula shaped like a boot.

#17 Post by corvus »

Thank you so much watchdog. :D

Ciao
[b]We are waves of the same sea, leaves of the same tree, flowers of the same garden.[/b]
Top
User avatar
bigpup
Posts: 13886
Joined: Sun 11 Oct 2009, 18:15
Location: S.C. USA

#18 Post by bigpup »

corvus wrote:Thank you so much watchdog. :D

Ciao
+1!!!!
Thanks for making these pets for Puppy. 8) :D
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected :shock:
YaPI(any iso installer)
Top
User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#19 Post by 8Geee »

watchdog...
I do not see this one (yet) on the slackware site as of Feb. 01.
What does the patch(es) address?

regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Top
watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#20 Post by watchdog »

https://www.openssl.org/news/secadv/20170126.txt
Top
Post Reply

Return to “Security”