Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 20 Apr 2014, 17:06
All times are UTC - 4
 Forum index » House Training » Bugs ( Submit bugs )
CVE-2014-0160 OpenSSL Heartbleed
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [37 Posts]   Goto page: 1, 2, 3 Next
Author Message
balloon


Joined: 02 Oct 2013
Posts: 36
Location: Miyagi, Japan

PostPosted: Tue 08 Apr 2014, 02:14    Post subject:  CVE-2014-0160 OpenSSL Heartbleed
Subject description: Main target: Precise & Slacko; Information stored in memory is performed outside release of
 

A bug of OpenSSL is discovered and becomes noisy now.

http://heartbleed.com/
http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
http://www.openssl.org/news/secadv_20140407.txt

As for the contents, "main memory is released".
I consider that this has a great effect on Puppy using Frugal.
Frugal saves a file in main memory structurally.
In other words this problem might let the contents of the file make outside release.
It is necessary to make the latest edition of OpenSSL a package.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Mainly: Precise Puppy (Japanese Edition) Precise-571JP
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/

Last edited by balloon on Thu 10 Apr 2014, 09:28; edited 4 times in total
Back to top
View user's profile Send private message Visit poster's website 
balloon


Joined: 02 Oct 2013
Posts: 36
Location: Miyagi, Japan

PostPosted: Tue 08 Apr 2014, 03:50    Post subject:  Details: CVE-2014-0160 OpenSSL Heartbleed
Subject description: I made OpenSSL which solved a problem .pet package.
 

Target OpenSSL is 1.0.1 - 1.0.1f. Before 1.0.0 version is inapplicable.
Target Puppy version (latest only):
  • Precise 5.7.1 (OpenSSL 1.0.1)
  • Slacko 5.7 (OpenSSL 1.0.1f)
Wary and Racy 5.5 is inapplicable (OpenSSL 1.0.0d)

(The .pet package which I showed here was updated.
Please be careful about these later sentences)

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Mainly: Precise Puppy (Japanese Edition) Precise-571JP
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/

Last edited by balloon on Wed 09 Apr 2014, 21:54; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website 
bigpup


Joined: 11 Oct 2009
Posts: 4616
Location: Charleston S.C. USA

PostPosted: Tue 08 Apr 2014, 21:59    Post subject:  

In Slacko 5.7

The "Updates Manager" will have the openSSL 1.0.1g files for download and install.

_________________
I have found, in trying to help people, that the things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
Back to top
View user's profile Send private message 
ThoriumBlvd


Joined: 04 Oct 2013
Posts: 86
Location: N.E. USA

PostPosted: Wed 09 Apr 2014, 00:10    Post subject:  

sorry for the X-post, but how can we ID the version in use? mine only says version 1 (SYSV) in properties.
_________________

Back to top
View user's profile Send private message 
bigpup


Joined: 11 Oct 2009
Posts: 4616
Location: Charleston S.C. USA

PostPosted: Wed 09 Apr 2014, 00:57    Post subject:  

Did you try this:

run a terminal, input the command:
Code:
openssl version

_________________
I have found, in trying to help people, that the things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
Back to top
View user's profile Send private message 
balloon


Joined: 02 Oct 2013
Posts: 36
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 01:08    Post subject:  

About pet package showing,
A problem may occur by application to treat SSL under the influence by the place for library.
Please be in particular careful about devx-related application movement.
When you discovered some problem, please announce it here.

There is no update plan of the package at a stage contributing this.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Mainly: Precise Puppy (Japanese Edition) Precise-571JP
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
watchdog

Joined: 28 Sep 2012
Posts: 431

PostPosted: Wed 09 Apr 2014, 05:12    Post subject:  

I compiled on my own openssl-1.0.1g in precise 5.7.1 with:

Code:
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install


I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.
Back to top
View user's profile Send private message 
01micko


Joined: 11 Oct 2008
Posts: 7547
Location: qld

PostPosted: Wed 09 Apr 2014, 06:25    Post subject:  

watchdog wrote:

Code:
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install

Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.

watchdog wrote:

I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.

That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.

bigpup wrote:
The "Updates Manager" will have the openSSL 1.0.1g files for download and install.

True. However you may get a "failed" message. This is because the mirrors haven't caught up yet. This will be resolved in the next 24hrs I expect, however, since the heartbleed bug is mostly server side it may take longer. Anyone notice a large slow down in traffic speeds? I will add more mirrors at some point to default slacko for more choice. I added aarnet to my install and it worked fine as the mirror has caught up.

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
watchdog

Joined: 28 Sep 2012
Posts: 431

PostPosted: Wed 09 Apr 2014, 07:14    Post subject:  

01micko wrote:
watchdog wrote:

Code:
./config --prefix=/usr -DOPENSSL_NO_HEARTBEATS
make
new2dir make install

Why? That's where the bug was and what is now fixed. You could have done that with the buggy source and the bug would be gone.


Sorry. I have misunderstood the OpenSSL security advisory:

http://www.openssl.org/news/secadv_20140407.txt

01micko wrote:
watchdog wrote:

I have noticed an odd behaviour. The command "new2dir make install" not only makes the splitted packages (main, DEV, DOC) but install the new openssl-1.0.1g without showing in PPM. Without installing the newly compiled package the output of "openssl version" gives the updated one after the compilation.

That's how new2dir works. It's a wrapper for make install using installwatch. That's how Barry designed it. If you don't want to install use make DESTDIR=/some/path install.


Thanks for the explanation. I have learned something new to me.
Back to top
View user's profile Send private message 
01micko


Joined: 11 Oct 2008
Posts: 7547
Location: qld

PostPosted: Wed 09 Apr 2014, 08:08    Post subject:  

watchdog wrote:
Sorry. I have misunderstood the OpenSSL security advisory:

http://www.openssl.org/news/secadv_20140407.txt.

No need for apologies. Glad you learned something. I didn't mean to come across harsh.. it's what happens when you bang your head on a thousand word essay. Rolling Eyes

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
8-bit


Joined: 03 Apr 2007
Posts: 3282
Location: Oregon

PostPosted: Wed 09 Apr 2014, 09:07    Post subject:  

In Blue Pup version 3, I get this for version of openssl.

OpenSSL 1.0.1f 6 Jan 2014

I do not know what f in the version represents though.
Back to top
View user's profile Send private message 
balloon


Joined: 02 Oct 2013
Posts: 36
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 10:03    Post subject:  

8-bit wrote:
In Blue Pup version 3, I get this for version of openssl.

OpenSSL 1.0.1f 6 Jan 2014

I do not know what f in the version represents though.

Unfortunately it is the object of this problem.
Please try .pet package.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Mainly: Precise Puppy (Japanese Edition) Precise-571JP
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
ally


Joined: 19 May 2012
Posts: 779
Location: lincoln

PostPosted: Wed 09 Apr 2014, 10:15    Post subject:  

thanks balloon

working well on slacko 5.7

Smile
Back to top
View user's profile Send private message Visit poster's website 
balloon


Joined: 02 Oct 2013
Posts: 36
Location: Miyagi, Japan

PostPosted: Wed 09 Apr 2014, 10:25    Post subject:  

In the case of Precise, there is the choice to introduce .deb package of Ubuntu into.
However, Puppy was not able to put latest OpenSSL as a result that I tried the introduction of the .deb package.
This correspondence is offered with a patch in Ubuntu.
It is for this purpose to have had to make .pet package.

_________________
BALLOON a.k.a. Fu-sen. ふうせん Fu-sen. (old: 2 8 6) from Japan
Mainly: Precise Puppy (Japanese Edition) Precise-571JP
Puppy Food ぱぴ〜ふ〜ど http://puppylinux-food.zohosites.com/
Back to top
View user's profile Send private message Visit poster's website 
mavrothal


Joined: 24 Aug 2009
Posts: 1385

PostPosted: Wed 09 Apr 2014, 12:56    Post subject:  

01micko wrote:
it's what happens when you bang your head on a thousand word essay. Rolling Eyes

Because they are too few or too many?... Twisted Evil

_________________
Kids all over the world go around with an XO laptop. They deserve one puppy (or many) too Very Happy
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 3 [37 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » House Training » Bugs ( Submit bugs )
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0735s ][ Queries: 12 (0.0049s) ][ GZIP on ]