Porteus

Porteus User Forum
https://forum.porteus.org/

Drownattack: https vulnerability

https://forum.porteus.org/viewtopic.php?f=113&t=5610

Page 1 of 2

Drownattack: https vulnerability

Posted: 05 Mar 2016, 21:26
by ncmprhnsbl
if you do anything secure online (banking, buying stuff etc) there has been a vulnerability discovered in servers supporting(not using) SSLv2...
for more info and to check a site go here :
https://drownattack.com/#check

Re: Drownattack: https vulnerability

Posted: 05 Mar 2016, 21:45
by donald
http://www.slackware.com/security/viewe ... ity.778601

Re: Drownattack: https vulnerability

Posted: 05 Mar 2016, 22:54
by Ed_P
I wonder if Porteus Updater will have a patch for this in the near future.


-update-

Till then, USM works.

Code: Select all

root@porteus:/home/guest# usm -s openssl-1.0.1s

openssl-1.0.1s-x86_64-1_slack14.1.txz was found in slackwarepatches [upgrade]
Packages found:   1

Re: Drownattack: https vulnerability

Posted: 06 Mar 2016, 01:19
by donald
^
upgrade the "openssl-solibs" too.

btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help

Re: Drownattack: https vulnerability

Posted: 06 Mar 2016, 03:37
by Ed_P
donald wrote:^
upgrade the "openssl-solibs" too.
Are you saying USM is missing a dependency for this module?

Anyway to have USM put both downloads into a single module?

-edit-

Yup. USM Tools. :good:
btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help
Does this work with changes=EXIT? I don't have Porteus installed, I boot ISOs.

Re: Drownattack: https vulnerability

Posted: 06 Mar 2016, 12:23
by donald
Hi Ed

dependency?..
I would say it's more like a pair of shoes,they belong together.
openssl-solibs (OpenSSL shared libraries)
These shared libraries provide encryption routines required by
programs such as openssh, bind, sendmail, and many others.
Does this work with changes=EXIT?
I see no reason why not, but i just woke up.. :wink:
try it, reboot and check in a terminal with:
openssl version

Re: Drownattack: https vulnerability

Posted: 06 Mar 2016, 19:50
by Ed_P
donald wrote:dependency?..
I would say it's more like a pair of shoes,they belong together.
If the fix for the security leak requires the solibs to fix the leak I would says the solibs are a dependency of the fix.
try it, reboot and check in a terminal with:
openssl version
Well with the xzm module approach and both files I see:

Code: Select all

guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL>
So, something isn't working. :(


-edit-

Code: Select all

guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.txz
openssl-solibs-1.0.1s-x86_64-1_slack14.1.txz
guest@porteus:~$
:no:


-edit-

Rebuilt the combined module:

Code: Select all

guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.xzm*
openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL>


:wall:

Re: Drownattack: https vulnerability

Posted: 06 Mar 2016, 22:11
by ncmprhnsbl
my reading of this is that its a server-side issue ... that is theres nothing the user can do, except wait for sites to fix it....

Re: Drownattack: https vulnerability

Posted: 06 Mar 2016, 22:22
by donald
@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)

Code: Select all

guest@localhost:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016

Re: Drownattack: https vulnerability

Posted: 06 Mar 2016, 23:15
by Ed_P
donald wrote:@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)
I had not. But now I have.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1h 5 Jun 2014
guest@porteus:~$

Code: Select all

guest@porteus:~$  ls -l /mnt/live/memory/images/open*.xzm
total 4364
-rwxrwxrwx 1 root root 3018752 Mar  6  2016 openssl-1.0.1s-x86_64-1_slack14.1.xzm*
-rwxrwxrwx 1 root root 1449984 Mar  6  2016 openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$
:no:

Re: Drownattack: https vulnerability

Posted: 07 Mar 2016, 02:56
by donald
@ Ed
Are you sure your combined module is OK?
I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.
To be as close as possible to your iso installation i made a fresh 3,1 install on sda1;
placed the openssl.xzm in a folder named test on sda2; boot up with
extramod=/mnt/sda2/test
and it worked.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar  7 02:29 lib/
drwxr-xr-x 7 root root  98 Mar  2 23:03 usr/
drwxr-xr-x 3 root root  26 Mar  7 02:29 var/
guest@porteus:~$
(your ls -l output looks somehow not right)

Re: Drownattack: https vulnerability

Posted: 07 Mar 2016, 03:44
by Ed_P
donald wrote:@ Ed
Are you sure your combined module is OK?
No. :(
I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.
I used USM GUI to download them and convert them and merge them.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar  7 02:29 lib/
drwxr-xr-x 7 root root  98 Mar  2 23:03 usr/
drwxr-xr-x 3 root root  26 Mar  7 02:29 var/
guest@porteus:~$
(your ls -l output looks somehow not right)
I agree.


Let me try this again. I'll get back to you.

BTW Thanks for helping donald. :friends:



-edit-

Ok. Used USM to download the new openssl module.
Used USM to convert it to a module.
Rebooted.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$
No openssl-solibs module. No merge.

Code: Select all

guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  1 20:11 etc/
drwxr-xr-x 2 root root 105 Mar  6 22:48 lib64/
drwxr-xr-x 7 root root 100 Mar  1 20:11 usr/
drwxr-xr-x 3 root root  26 Mar  6 22:48 var/
guest@porteus:~$
:Bravo:

Re: Drownattack: https vulnerability

Posted: 07 Mar 2016, 04:30
by donald
one down, one to go... :wink:

Re: Drownattack: https vulnerability

Posted: 07 Mar 2016, 05:04
by Ed_P
Based on what I am seeing I'm not sure I need "one to go".

Any command to confirm that?

Re: Drownattack: https vulnerability

Posted: 07 Mar 2016, 12:47
by donald
You don't want the matching solibs package?
check which you already have

Code: Select all

ls /var/log/packages | grep openssl
Well, i don't know (exactly) which programs rely on the solibs package.
for example: -- old one --

Code: Select all

root@porteus:/home/guest# usm -g openjre

 The following items were found.
 Choose an number to confirm.
 ctrl+c to quit

1) openjre-7u51_b31-i486-2gv.txz     3) openjre-7u79_b14-i486-2sl.txz
2) openjre-7u79_b14-i486-2alien.txz
#? 3

Processing:   openjre-7u79_b14-i486-2sl.txz
...
 The following packages are required.
aaa_elflibs-14.1-i486-3.txz [4708K] [installed]
openjre-7u79_b14-i486-2sl.txz [40023K] [not installed]
openssl-solibs-1.0.1e-i486-1.txz [1208K] [not installed]
IMHO it doesn't hurt to have a matching pair... 8)

EDIT
oops..
there is no solibs package in 3.1 by default..(xfce-32-bit)
we had / have it in 2.0 -- by default
Lesson learned > DO NOT ASSUME.. :oops:
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/