Security hole in OpenSSL

Non release banter
KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

Security hole in OpenSSL

Post#1 by KnallKopf » 09 Apr 2014, 17:36

here is a big security hole in the OpenSSL library.

quote from http://heartbleed.com:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
This weakness allows stealing the information protected, under normal conditions,
by the SSL/TLS encryption used to secure the Internet.
SSL/TLS provides communication security and privacy over the Internet for applications such as web, email,
instant messaging (IM) and some virtual private networks (VPNs).
I found the information in german here:
http://www.heise.de/newsticker/meldung/ ... 65517.html

In english see here:
http://heartbleed.com
https://www.openssl.org
https://www.openssl.org/news/secadv_20140407.txt

quote from http://heartbleed.com:
What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
For the Porteus 64bit version:
Version on Porteus = 1.0.1f
It exist right working source directory, with the 1.0.1g version here,
But i miss finished package.
So i have make a build-script that use the slackware build-scripts from the source.
You can download here. (run the script as root / tested on Porteus 64bit v3.0 KDE with 05-devel.xzm)

If you are lazy you can download finished package here: openssl-1.0.1g-x86_64-1KnKo.xzm
md5sum: 936227691b29cf2d7078e34c15d644d3

thereby obtained openssl-solibs-1.0.1g-x86_64-1KnKo.xzm
md5sum: 91be332e3b83660efa91603474397031

For the i486 version:
I have not yet dealt with

User avatar
freestyler
Contributor
Contributor
Posts: 384
Joined: 17 Oct 2013, 14:21
Distribution: Porteus XFCE

Re: Security hole in OpenSSL

Post#2 by freestyler » 09 Apr 2014, 22:40

Thanks for the heads up
https://www.porteus-apps.org

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Security hole in OpenSSL

Post#3 by brokenman » 10 Apr 2014, 01:16

Yeah thanks. Because of this I just realized that USM is not pulling slackware patches correctly.

Get your latest update from here:

http://carroll.aset.psu.edu/pub/linux/d ... /packages/
http://carroll.aset.psu.edu/pub/linux/d ... /packages/
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Security hole in OpenSSL

Post#4 by francois » 10 Apr 2014, 12:02

Are thé porteus iso frère of that bug?
Prendre son temps, profiter de celui qui passe.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Security hole in OpenSSL

Post#5 by brokenman » 10 Apr 2014, 14:42

Yes. Please update:

Code: Select all

usm -u slackwarepatches
usm -g openssl
How do i become super user?
Wear your underpants on the outside and put on a cape.

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Security hole in OpenSSL

Post#6 by donald » 10 Apr 2014, 14:47

@francois
what do you mean with "frère" ?
about the bug:
type openssl version in cli - if you do NOT see "OpenSSL 1.0.1g 7 Apr 2014" - update..

User avatar
Hamza
Warlord
Warlord
Posts: 1908
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Security hole in OpenSSL

Post#7 by Hamza » 10 Apr 2014, 14:48

donald wrote:@francois
what do you mean with "frère" ?
about the bug:
type openssl version in cli - if you do NOT see "OpenSSL 1.0.1g 7 Apr 2014" - update..
He means "Are the Porteus ISOs free of that bug?"
NjVFQzY2Rg==

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Security hole in OpenSSL

Post#8 by donald » 10 Apr 2014, 14:56

Hi Hamza
Thanks for solving the riddle... :wink:

User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Security hole in OpenSSL

Post#9 by francois » 10 Apr 2014, 15:07

francois wrote:Are thé porteus iso frère of that bug?
Sorry everybody. I wrote that from my android phone, the french corrector was in action. It should have been:

Are the porteus iso free of that bug?

Here in Canada, this bug was one of the main actuality news in the last few days. The government of Canada, income tax service deparment, has decided to close all its internet services in the last days because of that bug.

Given the type of problem it seems to be,I do not understand why they could not fix it readily with that solution to OpenSSL?
Prendre son temps, profiter de celui qui passe.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Security hole in OpenSSL

Post#10 by brokenman » 10 Apr 2014, 16:44

No problem. I read you message correctly but answered correctly. I meant to say NO! Please update. You can update through USM.
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
Hamza
Warlord
Warlord
Posts: 1908
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Security hole in OpenSSL

Post#11 by Hamza » 10 Apr 2014, 16:44

Hi francois,

This bug is really annoying in IT departments. In fact, this bug forces every ones to regenerate all security keys built using (and running on) OpenSSL because this was possible to retrieve some fragments (64 kb) of server's RAM ... we all think about private keys that are used to encrypt our communications.

Thanks, Hamza
NjVFQzY2Rg==

User avatar
francois
Contributor
Contributor
Posts: 6434
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Security hole in OpenSSL

Post#12 by francois » 10 Apr 2014, 17:53

@brokenman, hamza:

Thanks for your explanations. :)
Prendre son temps, profiter de celui qui passe.

User avatar
wread
Module Guard
Module Guard
Posts: 1255
Joined: 09 Jan 2011, 18:48
Distribution: Porteus v5.0-kde-64 bits
Location: Santo Domingo
Contact:

Re: Security hole in OpenSSL

Post#13 by wread » 14 Apr 2014, 22:03

The TOR project updated tor to version 0.2.4.21 because of this openssl-bug. The new version of tor for 32-bits is here
Porteus is proud of the FASTEST KDE ever made.....(take akonadi, nepomuk and soprano out and you will have a decent OS).
The Porteus Community never sleeps!

Post Reply