Drownattack: https vulnerability

[ncmprhnsbl]

if you do anything secure online (banking, buying stuff etc) there has been a vulnerability discovered in servers supporting(not using) SSLv2...
for more info and to check a site go here :
https://drownattack.com/#check

[donald]

http://www.slackware.com/security/viewe ... ity.778601

[Ed_P]

I wonder if Porteus Updater will have a patch for this in the near future.


-update-

Till then, USM works.

Code: Select all

root@porteus:/home/guest# usm -s openssl-1.0.1s

openssl-1.0.1s-x86_64-1_slack14.1.txz was found in slackwarepatches [upgrade]
Packages found:   1 

[donald]

^
upgrade the "openssl-solibs" too.

btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help

[Ed_P]

^
upgrade the "openssl-solibs" too.

Are you saying USM is missing a dependency for this module?

Anyway to have USM put both downloads into a single module?

-edit-

Yup. USM Tools.

btw
there is also the upgradepkg tool -- (useful only if you save changes)
as root:
upgradepkg --help

Does this work with changes=EXIT? I don't have Porteus installed, I boot ISOs.

[donald]

Hi Ed

dependency?..
I would say it's more like a pair of shoes,they belong together.

openssl-solibs (OpenSSL shared libraries)
These shared libraries provide encryption routines required by
programs such as openssh, bind, sendmail, and many others.

Does this work with changes=EXIT?

I see no reason why not, but i just woke up..
try it, reboot and check in a terminal with:
openssl version

[Ed_P]

dependency?..
I would say it's more like a pair of shoes,they belong together.

If the fix for the security leak requires the solibs to fix the leak I would says the solibs are a dependency of the fix.

try it, reboot and check in a terminal with:
openssl version

Well with the xzm module approach and both files I see:

Code: Select all

guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL> 

So, something isn't working.


-edit-

Code: Select all

guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.txz
openssl-solibs-1.0.1s-x86_64-1_slack14.1.txz
guest@porteus:~$ 

-edit-

Rebuilt the combined module:

Code: Select all

guest@porteus:~$ ls /mnt/live/memory/images/open*.xzm
openssl-1.0.1s-x86_64-1_slack14.1.xzm*
openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$ openssl
OpenSSL> version
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL> 

[ncmprhnsbl]

my reading of this is that its a server-side issue ... that is theres nothing the user can do, except wait for sites to fix it....

[donald]

@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)

Code: Select all

guest@localhost:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016

[Ed_P]

@ Ed
Did you reboot?...to activate the modules while porteus is running isn't sufficient.
(load the modules at boot up)

I had not. But now I have.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1h 5 Jun 2014
guest@porteus:~$ 

Code: Select all

guest@porteus:~$  ls -l /mnt/live/memory/images/open*.xzm
total 4364
-rwxrwxrwx 1 root root 3018752 Mar  6  2016 openssl-1.0.1s-x86_64-1_slack14.1.xzm*
-rwxrwxrwx 1 root root 1449984 Mar  6  2016 openssl-solibs-1.0.1s-x86_64-1_slack14.1.xzm*
guest@porteus:~$ 
 

[donald]

@ Ed
Are you sure your combined module is OK?
I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.
To be as close as possible to your iso installation i made a fresh 3,1 install on sda1;
placed the openssl.xzm in a folder named test on sda2; boot up with
extramod=/mnt/sda2/test
and it worked.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar  7 02:29 lib/
drwxr-xr-x 7 root root  98 Mar  2 23:03 usr/
drwxr-xr-x 3 root root  26 Mar  7 02:29 var/
guest@porteus:~$

(your ls -l output looks somehow not right)

[Ed_P]

@ Ed
Are you sure your combined module is OK?

No.

I took both packages from slackware, converted them to xzm and merged them to openssl.xzm.

I used USM GUI to download them and convert them and merge them.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  2 23:03 etc/
drwxr-xr-x 2 root root 195 Mar  7 02:29 lib/
drwxr-xr-x 7 root root  98 Mar  2 23:03 usr/
drwxr-xr-x 3 root root  26 Mar  7 02:29 var/
guest@porteus:~$

(your ls -l output looks somehow not right)

I agree.


Let me try this again. I'll get back to you.

BTW Thanks for helping donald.



-edit-

Ok. Used USM to download the new openssl module.
Used USM to convert it to a module.
Rebooted.

Code: Select all

guest@porteus:~$ openssl version
OpenSSL 1.0.1s  1 Mar 2016
guest@porteus:~$ 

No openssl-solibs module. No merge.

Code: Select all

guest@porteus:~$ ls -l /mnt/live/memory/images/open*.xzm
total 0
drwxr-xr-x 4 root root  44 Mar  1 20:11 etc/
drwxr-xr-x 2 root root 105 Mar  6 22:48 lib64/
drwxr-xr-x 7 root root 100 Mar  1 20:11 usr/
drwxr-xr-x 3 root root  26 Mar  6 22:48 var/
guest@porteus:~$ 

[donald]

one down, one to go...

[Ed_P]

Based on what I am seeing I'm not sure I need "one to go".

Any command to confirm that?

[donald]

You don't want the matching solibs package?
check which you already have

Code: Select all

ls /var/log/packages | grep openssl

Well, i don't know (exactly) which programs rely on the solibs package.
for example: -- old one --

Code: Select all

root@porteus:/home/guest# usm -g openjre

 The following items were found.
 Choose an number to confirm.
 ctrl+c to quit

1) openjre-7u51_b31-i486-2gv.txz     3) openjre-7u79_b14-i486-2sl.txz
2) openjre-7u79_b14-i486-2alien.txz
#? 3

Processing:   openjre-7u79_b14-i486-2sl.txz
...
 The following packages are required.
aaa_elflibs-14.1-i486-3.txz [4708K] [installed]
openjre-7u79_b14-i486-2sl.txz [40023K] [not installed]
openssl-solibs-1.0.1e-i486-1.txz [1208K] [not installed]

IMHO it doesn't hurt to have a matching pair... 8)

EDIT
oops..
there is no solibs package in 3.1 by default..(xfce-32-bit)
we had / have it in 2.0 -- by default
Lesson learned > DO NOT ASSUME..