Page 1 of 2
Drownattack: https vulnerability
Posted: 05 Mar 2016, 21:26
by ncmprhnsbl
if you do anything secure online (banking, buying stuff etc) there has been a vulnerability discovered in servers supporting(not using) SSLv2...
for more info and to check a site go here :
https://drownattack.com/#check
Re: Drownattack: https vulnerability
Posted: 05 Mar 2016, 21:45
by donald
Re: Drownattack: https vulnerability
Posted: 05 Mar 2016, 22:54
by Ed_P
I wonder if Porteus Updater will have a patch for this in the near future.
-update-
Till then, USM works.
Code: Select all
root@porteus:/home/guest# usm -s openssl-1.0.1s
openssl-1.0.1s-x86_64-1_slack14.1.txz was found in slackwarepatches [upgrade]
Packages found: 1
Re: Drownattack: https vulnerability
Posted: 06 Mar 2016, 01:19
by donald
^
upgrade the "openssl-solibs" too.
btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help
Re: Drownattack: https vulnerability
Posted: 06 Mar 2016, 03:37
by Ed_P
donald wrote:^
upgrade the "openssl-solibs" too.
Are you saying USM is missing a dependency for this module?
Anyway to have USM put both downloads into a single module?
-edit-
Yup. USM Tools.
btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help
Does this work with changes=EXIT? I don't have Porteus installed, I boot ISOs.
Re: Drownattack: https vulnerability
Posted: 06 Mar 2016, 12:23
by donald
Hi Ed
dependency?..
I would say it's more like a pair of shoes,they belong together.
openssl-solibs (OpenSSL shared libraries)
These shared libraries provide encryption routines required by
programs such as openssh, bind, sendmail, and many others.
Does this work with changes=EXIT?
I see no reason why not, but i just woke up..
try it, reboot and check in a terminal with:
openssl version
Re: Drownattack: https vulnerability
Posted: 06 Mar 2016, 19:50
by Ed_P
donald wrote:dependency?..
I would say it's more like a pair of shoes,they belong together.
If the fix for the security leak requires the solibs to fix the leak I would says the solibs are a dependency of the fix.
try it, reboot and check in a terminal with:
openssl version
Well with the xzm module approach and both files I see:
Code: Select all
guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL>
So, something isn't working.
-edit-
Code: Select all
guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.txz
openssl-solibs-1.0.1s-x86_64-1_slack14.1.txz
guest@porteus:~$
-edit-
Rebuilt the combined module:
Code: Select all
guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.xzm*
openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL>
Re: Drownattack: https vulnerability
Posted: 06 Mar 2016, 22:11
by ncmprhnsbl
my reading of this is that its a server-side issue ... that is theres nothing the user can do, except wait for sites to fix it....
Re: Drownattack: https vulnerability
Posted: 06 Mar 2016, 22:22
by donald
@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)
Code: Select all
guest@localhost:~$ openssl version
OpenSSL 1.0.1s 1 Mar 2016
Re: Drownattack: https vulnerability
Posted: 06 Mar 2016, 23:15
by Ed_P
donald wrote:@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)
I had not. But now I have.
Code: Select all
guest@porteus:~$ openssl version
OpenSSL 1.0.1h 5 Jun 2014
guest@porteus:~$
Code: Select all
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 4364
-rwxrwxrwx 1 root root 3018752 Mar 6 2016 openssl-1.0.1s-x86_64-1_slack14.1.xzm*
-rwxrwxrwx 1 root root 1449984 Mar 6 2016 openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$
Re: Drownattack: https vulnerability
Posted: 07 Mar 2016, 02:56
by donald
@ Ed
Are you sure your combined module is OK?
I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.
To be as close as possible to your iso installation i made a fresh 3,1 install on sda1;
placed the openssl.xzm in a folder named test on sda2; boot up with
extramod=/mnt/sda2/test
and it worked.
Code: Select all
guest@porteus:~$ openssl version
OpenSSL 1.0.1s 1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root 44 Mar 2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar 7 02:29 lib/
drwxr-xr-x 7 root root 98 Mar 2 23:03 usr/
drwxr-xr-x 3 root root 26 Mar 7 02:29 var/
guest@porteus:~$
(your ls -l output looks somehow not right)
Re: Drownattack: https vulnerability
Posted: 07 Mar 2016, 03:44
by Ed_P
donald wrote:@ Ed
Are you sure your combined module is OK?
No.
I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.
I used USM GUI to download them and convert them and merge them.
Code: Select all
guest@porteus:~$ openssl version
OpenSSL 1.0.1s 1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root 44 Mar 2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar 7 02:29 lib/
drwxr-xr-x 7 root root 98 Mar 2 23:03 usr/
drwxr-xr-x 3 root root 26 Mar 7 02:29 var/
guest@porteus:~$
(your ls -l output looks somehow not right)
I agree.
Let me try this again. I'll get back to you.
BTW Thanks for helping
donald.
-edit-
Ok. Used USM to download the new openssl module.
Used USM to convert it to a module.
Rebooted.
Code: Select all
guest@porteus:~$ openssl version
OpenSSL 1.0.1s 1 Mar 2016
guest@porteus:~$
No openssl-solibs module. No merge.
Code: Select all
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root 44 Mar 1 20:11 etc/
drwxr-xr-x 2 root root 105 Mar 6 22:48 lib64/
drwxr-xr-x 7 root root 100 Mar 1 20:11 usr/
drwxr-xr-x 3 root root 26 Mar 6 22:48 var/
guest@porteus:~$
Re: Drownattack: https vulnerability
Posted: 07 Mar 2016, 04:30
by donald
one down, one to go...
Re: Drownattack: https vulnerability
Posted: 07 Mar 2016, 05:04
by Ed_P
Based on what I am seeing I'm not sure I need "one to go".
Any command to confirm that?
Re: Drownattack: https vulnerability
Posted: 07 Mar 2016, 12:47
by donald
You don't want the matching solibs package?
check which you already have
Code: Select all
ls /var/log/packages | grep openssl
Well, i don't know (exactly) which programs rely on the solibs package.
for example: -- old one --
Code: Select all
root@porteus:/home/guest# usm -g openjre
The following items were found.
Choose an number to confirm.
ctrl+c to quit
1) openjre-7u51_b31-i486-2gv.txz 3) openjre-7u79_b14-i486-2sl.txz
2) openjre-7u79_b14-i486-2alien.txz
#? 3
Processing: openjre-7u79_b14-i486-2sl.txz
...
The following packages are required.
aaa_elflibs-14.1-i486-3.txz [4708K] [installed]
openjre-7u79_b14-i486-2sl.txz [40023K] [not installed]
openssl-solibs-1.0.1e-i486-1.txz [1208K] [not installed]
IMHO it doesn't hurt to have a matching pair... 8)
EDIT
oops..
there is no solibs package in 3.1 by default..(xfce-32-bit)
we had / have it in 2.0 -- by default
Lesson learned > DO NOT ASSUME..