Page 1 of 1

Security hole in OpenSSL

Posted: 09 Apr 2014, 17:36
by KnallKopf
here is a big security hole in the OpenSSL library.

quote from http://heartbleed.com:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
This weakness allows stealing the information protected, under normal conditions,
by the SSL/TLS encryption used to secure the Internet.
SSL/TLS provides communication security and privacy over the Internet for applications such as web, email,
instant messaging (IM) and some virtual private networks (VPNs).
I found the information in german here:
http://www.heise.de/newsticker/meldung/ ... 65517.html

In english see here:
http://heartbleed.com
https://www.openssl.org
https://www.openssl.org/news/secadv_20140407.txt

quote from http://heartbleed.com:
What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
For the Porteus 64bit version:
Version on Porteus = 1.0.1f
It exist right working source directory, with the 1.0.1g version here,
But i miss finished package.
So i have make a build-script that use the slackware build-scripts from the source.
You can download here. (run the script as root / tested on Porteus 64bit v3.0 KDE with 05-devel.xzm)

If you are lazy you can download finished package here: openssl-1.0.1g-x86_64-1KnKo.xzm
md5sum: 936227691b29cf2d7078e34c15d644d3

thereby obtained openssl-solibs-1.0.1g-x86_64-1KnKo.xzm
md5sum: 91be332e3b83660efa91603474397031

For the i486 version:
I have not yet dealt with

Re: Security hole in OpenSSL

Posted: 09 Apr 2014, 22:40
by freestyler
Thanks for the heads up

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 01:16
by brokenman
Yeah thanks. Because of this I just realized that USM is not pulling slackware patches correctly.

Get your latest update from here:

http://carroll.aset.psu.edu/pub/linux/d ... /packages/
http://carroll.aset.psu.edu/pub/linux/d ... /packages/

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 12:02
by francois
Are thé porteus iso frère of that bug?

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 14:42
by brokenman
Yes. Please update:

Code: Select all

usm -u slackwarepatches
usm -g openssl

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 14:47
by donald
@francois
what do you mean with "frère" ?
about the bug:
type openssl version in cli - if you do NOT see "OpenSSL 1.0.1g 7 Apr 2014" - update..

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 14:48
by Hamza
donald wrote:@francois
what do you mean with "frère" ?
about the bug:
type openssl version in cli - if you do NOT see "OpenSSL 1.0.1g 7 Apr 2014" - update..
He means "Are the Porteus ISOs free of that bug?"

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 14:56
by donald
Hi Hamza
Thanks for solving the riddle... :wink:

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 15:07
by francois
francois wrote:Are thé porteus iso frère of that bug?
Sorry everybody. I wrote that from my android phone, the french corrector was in action. It should have been:

Are the porteus iso free of that bug?

Here in Canada, this bug was one of the main actuality news in the last few days. The government of Canada, income tax service deparment, has decided to close all its internet services in the last days because of that bug.

Given the type of problem it seems to be,I do not understand why they could not fix it readily with that solution to OpenSSL?

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 16:44
by brokenman
No problem. I read you message correctly but answered correctly. I meant to say NO! Please update. You can update through USM.

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 16:44
by Hamza
Hi francois,

This bug is really annoying in IT departments. In fact, this bug forces every ones to regenerate all security keys built using (and running on) OpenSSL because this was possible to retrieve some fragments (64 kb) of server's RAM ... we all think about private keys that are used to encrypt our communications.

Thanks, Hamza

Re: Security hole in OpenSSL

Posted: 10 Apr 2014, 17:53
by francois
@brokenman, hamza:

Thanks for your explanations. :)

Re: Security hole in OpenSSL

Posted: 14 Apr 2014, 22:03
by wread
The TOR project updated tor to version 0.2.4.21 because of this openssl-bug. The new version of tor for 32-bits is here