Hi, will OpenSSL version 0.9.7g be available as a RPM for SuSE 9.1? YOU currently holds openssl-0.9.7d-15.13, and the OpenSSL team has fixed some important bugs since then. -- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter
On Mon, Jun 20, 2005 at 01:40:24PM +0200, Ralph Seichter wrote:
Hi,
Hello.
will OpenSSL version 0.9.7g be available as a RPM for SuSE 9.1? YOU currently holds openssl-0.9.7d-15.13, and the OpenSSL team has fixed some important bugs since then.
Only security related bugs will be fixed and released.
-- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter
-- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing -- Ray's Rule of Precision: Measure with a micrometer. Mark with chalk. Cut with an axe.
On Mon, Jun 20, 2005 at 01:45:52PM +0200, Thomas Biege wrote:
On Mon, Jun 20, 2005 at 01:40:24PM +0200, Ralph Seichter wrote:
Hi,
Hello.
will OpenSSL version 0.9.7g be available as a RPM for SuSE 9.1? YOU currently holds openssl-0.9.7d-15.13, and the OpenSSL team has fixed some important bugs since then.
Only security related bugs will be fixed and released.
Err, I was too much in the security-scope. We also fix non-security bugs. But that depends on the bug and the problem it causes. What bugs do you like to see to be fixed? -- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing -- Ray's Rule of Precision: Measure with a micrometer. Mark with chalk. Cut with an axe.
Thomas Biege wrote:
Err, I was too much in the security-scope. We also fix non-security bugs. But that depends on the bug and the problem it causes.
Well, one could consider any bug in OpenSSL as being a security bug, considering the nature of the software... ;-)
What bugs do you like to see to be fixed?
http://www.openssl.org/news/vulnerabilities.html mentions CAN-2004-0975 as affecting OpenSSL 0.9.7d and being fixed in version 0.9.7f. http://www.openssl.org/news/changelog.html lists a whole bunch of fixes, changes and additions between 0.9.7d and 0.9.7g, so I consider it worthwhile to have the latest stable OpenSSL version (0.9.7g) available on the servers under my responsibility. -- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter
so I consider it worthwhile to have the latest stable OpenSSL version (0.9.7g) available on the servers under my responsibility.
If that is the case, then install from source, this way you do not have to wait for SuSE to get their RPM's quality assured and updated...
Barry Gill wrote:
If that is the case, then install from source, this way you do not have to wait for SuSE to get their RPM's quality assured and updated...
There is a lot of software I compile and install from source, like Apache or Postfix, but OpenSSL is a slightly different matter. Imagine me fumbling the installation of new SSL libraries on a remotely managed server to which I have no physical access at all because it is hosted several hundred km away. If the SSH Daemon fails after my update, I'm in trouble, because I have no direct console access for repairs. That's why, when it comes to OpenSSL, I'd rather use SuSE's official RPMs. Of course, SuSE is not dutybound to provide the latest and greatest OpenSSL as RPMs. If SuSE decides to stick to version 0.9.7d, I might have to take the risk I described above. :-/ -- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter
On Mon, Jun 20, 2005 at 02:17:05PM +0200, Ralph Seichter wrote:
Thomas Biege wrote:
Err, I was too much in the security-scope. We also fix non-security bugs. But that depends on the bug and the problem it causes.
Well, one could consider any bug in OpenSSL as being a security bug, considering the nature of the software... ;-)
What bugs do you like to see to be fixed?
http://www.openssl.org/news/vulnerabilities.html mentions CAN-2004-0975 as affecting OpenSSL 0.9.7d and being fixed in version
This bug will be fixed together with the next update of openssl. Frankly this is a very minor bug. :)
0.9.7f. http://www.openssl.org/news/changelog.html lists a whole bunch of fixes, changes and additions between 0.9.7d and 0.9.7g, so I consider it worthwhile to have the latest stable OpenSSL version (0.9.7g) available on the servers under my responsibility.
We don't do version updates (with some exceptions) due to bad sideeffects. -- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing -- Ray's Rule of Precision: Measure with a micrometer. Mark with chalk. Cut with an axe.
On Mon, Jun 20, 2005 at 03:53:38PM +0200, Thomas Biege wrote:
On Mon, Jun 20, 2005 at 02:17:05PM +0200, Ralph Seichter wrote:
Thomas Biege wrote:
Err, I was too much in the security-scope. We also fix non-security bugs. But that depends on the bug and the problem it causes.
Well, one could consider any bug in OpenSSL as being a security bug, considering the nature of the software... ;-)
What bugs do you like to see to be fixed?
http://www.openssl.org/news/vulnerabilities.html mentions CAN-2004-0975 as affecting OpenSSL 0.9.7d and being fixed in version
This bug will be fixed together with the next update of openssl. Frankly this is a very minor bug. :)
0.9.7f. http://www.openssl.org/news/changelog.html lists a whole bunch of fixes, changes and additions between 0.9.7d and 0.9.7g, so I consider it worthwhile to have the latest stable OpenSSL version (0.9.7g) available on the servers under my responsibility.
We don't do version updates (with some exceptions) due to bad sideeffects.
As Addendum: We fix the security issues present in those libraries, but do not bump the version. Use either rpm -q --changelog openssl|less or our website to check for the CAN numbers we fixed and released updates for. Ciao, Marcus
[snip] because it is hosted several hundred km away. If the SSH Daemon fails after my update, I'm in trouble, because I have no direct console access for repairs. That's why, when it comes to OpenSSL, [/snip] In the words of Homer Simpson - "Doh!" Ok, stupid suggestion hehehe
Thomas Biege wrote:
This bug will be fixed together with the next update of openssl. Frankly this is a very minor bug. :)
As I said, the OpenSSL team lists a whole bunch of fixes in the change log which they consider "important". SuSE probably applies another standard, because you see your distribution as a whole, but if the authors consider it important, I'm inclined to agree. ;-) Could you please tell me the options you advise for the OpenSSL "Configure" or "config" scripts for SuSE 9.1 Pro? Judging from the RPM contents, you could be using "--prefix=/usr --openssldir=/etc", but I'm not sure about this. Did you make any modifications to the configuration script itself? -- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter
Ralph Seichter wrote:
Thomas Biege wrote:
This bug will be fixed together with the next update of openssl. Frankly this is a very minor bug. :)
As I said, the OpenSSL team lists a whole bunch of fixes in the change log which they consider "important". SuSE probably applies another standard, because you see your distribution as a whole, but if the authors consider it important, I'm inclined to agree. ;-)
Could you please tell me the options you advise for the OpenSSL "Configure" or "config" scripts for SuSE 9.1 Pro? Judging from the RPM contents, you could be using "--prefix=/usr --openssldir=/etc", but I'm not sure about this. Did you make any modifications to the configuration script itself?
Those you can probably get by extracting the source-rpm and looking at the spec-file. Rainer
Could you please tell me the options you advise for the OpenSSL "Configure" or "config" scripts for SuSE 9.1 Pro? Judging from the RPM contents, you could be using "--prefix=/usr --openssldir=/etc", but I'm not sure about this. Did you make any modifications to the configuration script itself?
Those you can probably get by extracting the source-rpm and looking at the spec-file.
Right. Just use "alien -t" or a like to convert the src.rpm to a tar.gz
Rainer
-- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing -- Ray's Rule of Precision: Measure with a micrometer. Mark with chalk. Cut with an axe.
Hello I have installed suse 9.2 and I want to protect my data. I want when the computer boots, It don't ask to enter any password.. But if anyone tryied to read the data that is in htdocs It should ask. Only the user wwwrun can read it without any problem. Is it possible. I don't want none to fool around with my apache server. If someone triesto take out the disk and tryies to mount it on another computer he can't. Is there any way that I can do it. Or placing a hardkey on the LPT Port. Thanks any idea would be apreciated.
you can have a cdrom with Grub loaded onto it and have the entire HDD encrypted. You can then set a decryption key in grub (passwordless one) and that way if the CD is in the drive, it will start up fine, if not, then the HDD is totally useless. _____ From: Helder Lopes [mailto:helder_lopes@ano.pt] Sent: 21 June 2005 12:54 PM To: suse-security@suse.com Subject: [suse-security] Encryption of data and disks .. Hello I have installed suse 9.2 and I want to protect my data. I want when the computer boots, It don't ask to enter any password.. But if anyone tryied to read the data that is in htdocs It should ask. Only the user wwwrun can read it without any problem. Is it possible. I don't want none to fool around with my apache server. If someone triesto take out the disk and tryies to mount it on another computer he can't. Is there any way that I can do it. Or placing a hardkey on the LPT Port. Thanks any idea would be apreciated. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello
I have installed suse 9.2 and I want to protect my data.
I want when the computer boots, It don't ask to enter any password.. But if anyone tryied to read the data that is in htdocs It should ask. Only the user wwwrun can read it without any problem. Is it possible. I don't want none to fool around with my apache server. If someone triesto take out the disk and tryies to mount it on another computer he can't.
You need an encrypted filesystem to do that. Google for 'encrypted filesystem' and you'll find a plethora of guidance how to setup something like that. It most likely *will* require a password (manual intervention) at bootup to make this reasonably secure however.
Is there any way that I can do it. Or placing a hardkey on the LPT Port.
Nice try, but if someone is able to remove the harddisk from your server, don't you think they may also be able to grab that key from your system? Or take steal the entire system? As long as you can't physically secure access to your system, it will be *very* hard to accomplish what you want without some sort of password.
Thanks any idea would be apreciated.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Eindhoven - The Netherlands Key fingerprint - 66 4E 03 2C 9D B5 CB 9B 7A FE 7E C1 EE 88 BC 57
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2005-06-21 at 13:10 +0200, Arjen de Korte wrote:
Is there any way that I can do it. Or placing a hardkey on the LPT Port.
Nice try, but if someone is able to remove the harddisk from your server, don't you think they may also be able to grab that key from your system? Or take steal the entire system? As long as you can't physically secure access to your system, it will be *very* hard to accomplish what you want without some sort of password.
He could use a card that is read on booting with the password for the encrypted hard disk or partition. But he must ensure the the card is removed after booting, or when he is not present. Of course, is the machine is serving a web page and power fails, it will not boot up. In that case, it would probably make sense to use an UPS set as to send the system to sleep with memory saved to disk, so that the password/card is not required when awaking... but again, if the thief has access to the system and sends it to sleep manually (for example, by switching off mains AC to the UPS), he will be able to retrieve all data at his place simply by powering it up again. Another possibility would be to get the "key" from another secure computer in the local network. I have my doubts, though... - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCuAKWtTMYHG2NR9URApaLAJoDMZNCUVwsLXSzTq53gA9wE0vDywCfRxdv zha2ExMmX9HsjX4klLLinRk= =ZXs1 -----END PGP SIGNATURE-----
Barry Gill wrote:
you can have a cdrom with Grub loaded onto it and have the entire HDD encrypted. You can then set a decryption key in grub (passwordless one) and that way if the CD is in the drive, it will start up fine, if not, then the HDD is totally useless.
_____
From: Helder Lopes [mailto:helder_lopes@ano.pt] Sent: 21 June 2005 12:54 PM To: suse-security@suse.com Subject: [suse-security] Encryption of data and disks ..
Hello
I have installed suse 9.2 and I want to protect my data.
I want when the computer boots, It don't ask to enter any password.. But if anyone tryied to read the data that is in htdocs It should ask. Only the user wwwrun can read it without any problem. Is it possible. I don't want none to fool around with my apache server.
If someone triesto take out the disk and tryies to mount it on another computer he can't.
Is there any way that I can do it. Or placing a hardkey on the LPT Port.
Thanks any idea would be apreciated.
I would like to know more about this do you have any links or info on this thanks -- Hans hanskrueger@adelphia.net
How well does Suse handle biometric scanners? ----- Original Message ----- From: Barry Gill To: 'Helder Lopes' ; suse-security@suse.com Sent: Tuesday, June 21, 2005 1:05 PM Subject: RE: [suse-security] Encryption of data and disks .. you can have a cdrom with Grub loaded onto it and have the entire HDD encrypted. You can then set a decryption key in grub (passwordless one) and that way if the CD is in the drive, it will start up fine, if not, then the HDD is totally useless. _____ From: Helder Lopes [mailto:helder_lopes@ano.pt] Sent: 21 June 2005 12:54 PM To: suse-security@suse.com Subject: [suse-security] Encryption of data and disks .. Hello I have installed suse 9.2 and I want to protect my data. I want when the computer boots, It don't ask to enter any password.. But if anyone tryied to read the data that is in htdocs It should ask. Only the user wwwrun can read it without any problem. Is it possible. I don't want none to fool around with my apache server. If someone triesto take out the disk and tryies to mount it on another computer he can't. Is there any way that I can do it. Or placing a hardkey on the LPT Port. Thanks any idea would be apreciated. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2005-06-21 at 08:09 +0200, Thomas Biege wrote:
Those you can probably get by extracting the source-rpm and looking at the spec-file.
Right. Just use "alien -t" or a like to convert the src.rpm to a tar.gz
You can simply use mc (midnight commander) to "open" the src.rpm and view or copy the contens (all or partial), including the spec file. No need to install the sources ;-) - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCuARjtTMYHG2NR9URAp4GAJ9qz5JBnXrEaQ9xG54Q54ObJdTuJACeIgip g5PR6GSQ3MhZjEtgdj5ftCA= =L+nO -----END PGP SIGNATURE-----
Rainer Duffner wrote:
Those you can probably get by extracting the source-rpm and looking at the spec-file.
Of course, I should have thought of examining the source RPM myself. I think the heat is affecting me... %-) Thanks for the hint! -- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter
participants (10)
-
Andre Venter
-
Arjen de Korte
-
Barry Gill
-
Carlos E. R.
-
Hans Krueger
-
Helder Lopes
-
Marcus Meissner
-
Rainer Duffner
-
Ralph Seichter
-
Thomas Biege