Drownattack: https vulnerability

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 3925
Joined: 20 Mar 2012, 03:42
Distribution: v5.0-64bit
Location: australia
Contact:

Drownattack: https vulnerability

Post#1 by ncmprhnsbl » 05 Mar 2016, 21:26

if you do anything secure online (banking, buying stuff etc) there has been a vulnerability discovered in servers supporting(not using) SSLv2...
for more info and to check a site go here :
https://drownattack.com/#check
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44

donald
Full of knowledge
Full of knowledge
Posts: 2065
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Drownattack: https vulnerability

Post#2 by donald » 05 Mar 2016, 21:45


User avatar
Ed_P
Contributor
Contributor
Posts: 8343
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Drownattack: https vulnerability

Post#3 by Ed_P » 05 Mar 2016, 22:54

I wonder if Porteus Updater will have a patch for this in the near future.


-update-

Till then, USM works.

Code: Select all

root@porteus:/home/guest# usm -s openssl-1.0.1s

openssl-1.0.1s-x86_64-1_slack14.1.txz was found in slackwarepatches [upgrade]
Packages found:   1 
Ed

donald
Full of knowledge
Full of knowledge
Posts: 2065
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Drownattack: https vulnerability

Post#4 by donald » 06 Mar 2016, 01:19

^
upgrade the "openssl-solibs" too.

btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help

User avatar
Ed_P
Contributor
Contributor
Posts: 8343
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Drownattack: https vulnerability

Post#5 by Ed_P » 06 Mar 2016, 03:37

donald wrote:^
upgrade the "openssl-solibs" too.
Are you saying USM is missing a dependency for this module?

Anyway to have USM put both downloads into a single module?

-edit-

Yup. USM Tools. :good:
btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help
Does this work with changes=EXIT? I don't have Porteus installed, I boot ISOs.
Ed

donald
Full of knowledge
Full of knowledge
Posts: 2065
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Drownattack: https vulnerability

Post#6 by donald » 06 Mar 2016, 12:23

Hi Ed

dependency?..
I would say it's more like a pair of shoes,they belong together.
openssl-solibs (OpenSSL shared libraries)
These shared libraries provide encryption routines required by
programs such as openssh, bind, sendmail, and many others.
Does this work with changes=EXIT?
I see no reason why not, but i just woke up.. :wink:
try it, reboot and check in a terminal with:
openssl version

User avatar
Ed_P
Contributor
Contributor
Posts: 8343
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Drownattack: https vulnerability

Post#7 by Ed_P » 06 Mar 2016, 19:50

donald wrote:dependency?..
I would say it's more like a pair of shoes,they belong together.
If the fix for the security leak requires the solibs to fix the leak I would says the solibs are a dependency of the fix.
try it, reboot and check in a terminal with:
openssl version
Well with the xzm module approach and both files I see:

Code: Select all

guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL> 
So, something isn't working. :(


-edit-

Code: Select all

guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.txz
openssl-solibs-1.0.1s-x86_64-1_slack14.1.txz
guest@porteus:~$ 
:no:


-edit-

Rebuilt the combined module:

Code: Select all

guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.xzm*
openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL> 


:wall:
Ed

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 3925
Joined: 20 Mar 2012, 03:42
Distribution: v5.0-64bit
Location: australia
Contact:

Re: Drownattack: https vulnerability

Post#8 by ncmprhnsbl » 06 Mar 2016, 22:11

my reading of this is that its a server-side issue ... that is theres nothing the user can do, except wait for sites to fix it....
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44

donald
Full of knowledge
Full of knowledge
Posts: 2065
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Drownattack: https vulnerability

Post#9 by donald » 06 Mar 2016, 22:22

@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)

Code: Select all

guest@localhost:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016

User avatar
Ed_P
Contributor
Contributor
Posts: 8343
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Drownattack: https vulnerability

Post#10 by Ed_P » 06 Mar 2016, 23:15

donald wrote:@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)
I had not. But now I have.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1h 5 Jun 2014
guest@porteus:~$ 

Code: Select all

guest@porteus:~$  ls -l /mnt/live/memory/images/open*.xzm
total 4364
-rwxrwxrwx 1 root root 3018752 Mar  6  2016 openssl-1.0.1s-x86_64-1_slack14.1.xzm*
-rwxrwxrwx 1 root root 1449984 Mar  6  2016 openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$ 
 
:no:
Ed

donald
Full of knowledge
Full of knowledge
Posts: 2065
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Drownattack: https vulnerability

Post#11 by donald » 07 Mar 2016, 02:56

@ Ed
Are you sure your combined module is OK?
I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.
To be as close as possible to your iso installation i made a fresh 3,1 install on sda1;
placed the openssl.xzm in a folder named test on sda2; boot up with
extramod=/mnt/sda2/test
and it worked.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar  7 02:29 lib/
drwxr-xr-x 7 root root  98 Mar  2 23:03 usr/
drwxr-xr-x 3 root root  26 Mar  7 02:29 var/
guest@porteus:~$
(your ls -l output looks somehow not right)

User avatar
Ed_P
Contributor
Contributor
Posts: 8343
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Drownattack: https vulnerability

Post#12 by Ed_P » 07 Mar 2016, 03:44

donald wrote:@ Ed
Are you sure your combined module is OK?
No. :(
I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.
I used USM GUI to download them and convert them and merge them.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar  7 02:29 lib/
drwxr-xr-x 7 root root  98 Mar  2 23:03 usr/
drwxr-xr-x 3 root root  26 Mar  7 02:29 var/
guest@porteus:~$
(your ls -l output looks somehow not right)
I agree.


Let me try this again. I'll get back to you.

BTW Thanks for helping donald. :friends:



-edit-

Ok. Used USM to download the new openssl module.
Used USM to convert it to a module.
Rebooted.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ 
No openssl-solibs module. No merge.

Code: Select all

guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  1 20:11 etc/
drwxr-xr-x 2 root root 105 Mar  6 22:48 lib64/
drwxr-xr-x 7 root root 100 Mar  1 20:11 usr/
drwxr-xr-x 3 root root  26 Mar  6 22:48 var/
guest@porteus:~$ 
:Bravo:
Ed

donald
Full of knowledge
Full of knowledge
Posts: 2065
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Drownattack: https vulnerability

Post#13 by donald » 07 Mar 2016, 04:30

one down, one to go... :wink:

User avatar
Ed_P
Contributor
Contributor
Posts: 8343
Joined: 06 Feb 2013, 22:12
Distribution: Cinnamon 5.01 ISO
Location: Western NY, USA

Re: Drownattack: https vulnerability

Post#14 by Ed_P » 07 Mar 2016, 05:04

Based on what I am seeing I'm not sure I need "one to go".

Any command to confirm that?
Ed

donald
Full of knowledge
Full of knowledge
Posts: 2065
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Drownattack: https vulnerability

Post#15 by donald » 07 Mar 2016, 12:47

You don't want the matching solibs package?
check which you already have

Code: Select all

ls /var/log/packages | grep openssl
Well, i don't know (exactly) which programs rely on the solibs package.
for example: -- old one --

Code: Select all

root@porteus:/home/guest# usm -g openjre

 The following items were found.
 Choose an number to confirm.
 ctrl+c to quit

1) openjre-7u51_b31-i486-2gv.txz     3) openjre-7u79_b14-i486-2sl.txz
2) openjre-7u79_b14-i486-2alien.txz
#? 3

Processing:   openjre-7u79_b14-i486-2sl.txz
...
 The following packages are required.
aaa_elflibs-14.1-i486-3.txz [4708K] [installed]
openjre-7u79_b14-i486-2sl.txz [40023K] [not installed]
openssl-solibs-1.0.1e-i486-1.txz [1208K] [not installed]
IMHO it doesn't hurt to have a matching pair... 8)

EDIT
oops..
there is no solibs package in 3.1 by default..(xfce-32-bit)
we had / have it in 2.0 -- by default
Lesson learned > DO NOT ASSUME.. :oops:

Post Reply