[opensuse] Problem - OpenSSL 1.0.1g Fix and OpenSuSE 12.1
Hi, I have an old OpenSuSE 12.1 which is quite difficult to upgrade due to very complex setup. In order to upgrade to the latest OpenSSL without Heartbleed bug, I had used this repository: http://download.opensuse.org/repositories/home:/aljex/openSUSE_12.1/ However, after upgrade BIND stopped working, with message: Apr 15 15:19:31 SRV named[2463]: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/usr/lib/engines/libgost.so): /usr/lib/engines/libgost.so: cannot open shared object file: No such file or directory Apr 15 15:19:31 SRV named[2463]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Apr 15 15:19:31 SRV named[2463]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: Apr 15 15:19:31 SRV named[2463]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost Apr 15 15:19:31 SRV named[2463]: initializing DST: crypto failure Apr 15 15:19:31 SRV named[2463]: exiting (due to fatal error) Apr 15 15:19:31 SRV named[1722]: Starting name server BIND ..failed Looks like CryptoDev module can't be loaded anymore. Additionally, there seem to be a problem with Apache / PHP. Anyone have any idea about upgrade path? Apart from OpenSSL / ssh packages, what else need to be upgraded / installed ? Thanks in advance for any suggestion(s). Andrei -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Apr 15, 2014 at 05:04:13PM +0300, andreil1 wrote:
Hi,
I have an old OpenSuSE 12.1 which is quite difficult to upgrade due to very complex setup.
In order to upgrade to the latest OpenSSL without Heartbleed bug, I had used this repository: http://download.opensuse.org/repositories/home:/aljex/openSUSE_12.1/
However, after upgrade BIND stopped working, with message:
Apr 15 15:19:31 SRV named[2463]: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/usr/lib/engines/libgost.so): /usr/lib/engines/libgost.so: cannot open shared object file: No such file or directory Apr 15 15:19:31 SRV named[2463]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Apr 15 15:19:31 SRV named[2463]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: Apr 15 15:19:31 SRV named[2463]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost Apr 15 15:19:31 SRV named[2463]: initializing DST: crypto failure Apr 15 15:19:31 SRV named[2463]: exiting (due to fatal error) Apr 15 15:19:31 SRV named[1722]: Starting name server BIND ..failed
Looks like CryptoDev module can't be loaded anymore. Additionally, there seem to be a problem with Apache / PHP.
Anyone have any idea about upgrade path? Apart from OpenSSL / ssh packages, what else need to be upgraded / installed ?
Thanks in advance for any suggestion(s).
openSUSE used openssl 1.0.0e, so a heartbleed fix is NOT required on 12.1. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, On Tue, 15 Apr 2014, Marcus Meissner wrote:
On Tue, Apr 15, 2014 at 05:04:13PM +0300, andreil1 wrote:
In order to upgrade to the latest OpenSSL without Heartbleed bug, I had used this repository: http://download.opensuse.org/repositories/home:/aljex/openSUSE_12.1/ [..] openSUSE used openssl 1.0.0e, so a heartbleed fix is NOT required on 12.1.
$ rpm --qf '%{name}-%{version}-%{release} %{distribution}\n' -qf /lib6engines/libgost.so libopenssl1_0_0-1.0.0k-34.20.1 openSUSE 12.1 Zu finden in http://ftp5.gwdg.de/pub/opensuse/discontinued/update/12.1/ http://ftp5.gwdg.de/pub/opensuse/discontinued/update/12.1/x86_64/libopenssl1... $ rpm --changelog -qf /lib64/engines/libgost.so | head -25 * Fri Feb 15 2013 meissner@suse.com # sic! - Updated to 1.0.0k security release. bnc#802648 bnc#802746 To avoid backporting the large fixes for SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) OCSP invalid key DoS issue (CVE-2013-0166) - update to latest stable version 1.0.0i including the following patches: CVE-2012-2110.patch Bug748738_Tolerate_bad_MIME_headers.patch bug749213-Free-headers-after-use.patch bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch CVE-2012-1165.patch CVE-2012-0884.patch bug749735.patch - Update to version 1.0.0g fix the following: DTLS DoS attack (removed CVE-2012-0050.patch) - Update to version 1.0.0f fix the following: DTLS Plaintext Recovery Attack (removed CVE-2011-4108.patch) Uninitialized SSL 3.0 Padding (removed CVE-2011-4576.patch) Malformed RFC 3779 Data Can Cause Assertion Failures (removed CVE-2011-4577.patch) SGC Restart DoS Attack (removed CVE-2011-4619.patch) Invalid GOST parameters DoS Attack (removed CVE-2012-0027.patch) * Wed Feb 06 2013 shchang@suse.com HTH, -dnh -- quit When the quit statement is read, the bc processor is terminated, regardless of where the quit state- ment is found. For example, "if (0 == 1) quit" will cause bc to terminate. (Seen in the manpage for "bc". Note the "if" statement's logic) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
David Haller <dnh@opensuse.org> schrieb am 20:58 Dienstag, 15.April 2014:
...
http://ftp5.gwdg.de/pub/opensuse/discontinued/update/12.1/ http://ftp5.gwdg.de/pub/opensuse/discontinued/update/12.1/x86_64/libopenssl1...
thx that answers my question :-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner <meissner@suse.de> schrieb am 16:12 Dienstag, 15.April 2014: ... openSUSE used openssl 1.0.0e, so a heartbleed fix is NOT required on 12.1.
My 12.1 has 1.0.0k-34.20.1, and I have the x86_64/openssl-1.0.0k-34.20.1.x86_64.rpm i586/openssl-1.0.0k-34.20.1.i586.rpm still here but I do not know if this was the latest update for OpenSSL and OpenSuSE 12.1. I know that there are no more updates/patches, but is there a list somewhere, where one can check the latest versions before end of support? BR -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 15.04.14 16:04, schrieb andreil1:
Hi,
I have an old OpenSuSE 12.1 which is quite difficult to upgrade due to very complex setup.
In order to upgrade to the latest OpenSSL without Heartbleed bug, I had used this repository: http://download.opensuse.org/repositories/home:/aljex/openSUSE_12.1/
However, after upgrade BIND stopped working, with message:
Apr 15 15:19:31 SRV named[2463]: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/usr/lib/engines/libgost.so): /usr/lib/engines/libgost.so: cannot open shared object file: No such file or directory Apr 15 15:19:31 SRV named[2463]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Apr 15 15:19:31 SRV named[2463]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: Apr 15 15:19:31 SRV named[2463]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost Apr 15 15:19:31 SRV named[2463]: initializing DST: crypto failure Apr 15 15:19:31 SRV named[2463]: exiting (due to fatal error) Apr 15 15:19:31 SRV named[1722]: Starting name server BIND ..failed
Looks like CryptoDev module can't be loaded anymore. Additionally, there seem to be a problem with Apache / PHP.
Anyone have any idea about upgrade path? Apart from OpenSSL / ssh packages, what else need to be upgraded / installed ?
Thanks in advance for any suggestion(s).
Andrei
Andrei, you should revert to the original openssl version; otherwise you'll have to upgrade all related packages, too. -- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 15/04/14 11:04, andreil1 escribió:
Hi,
I have an old OpenSuSE 12.1 which is quite difficult to upgrade due to very complex setup.
In order to upgrade to the latest OpenSSL without Heartbleed bug, I had used this repository: http://download.opensuse.org/repositories/home:/aljex/openSUSE_12.1/
However, after upgrade BIND stopped working, with message:
Apr 15 15:19:31 SRV named[2463]: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(/usr/lib/engines/libgost.so): /usr/lib/engines/libgost.so: cannot open shared object file: No such file or directory Apr 15 15:19:31 SRV named[2463]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Apr 15 15:19:31 SRV named[2463]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: Apr 15 15:19:31 SRV named[2463]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost Apr 15 15:19:31 SRV named[2463]: initializing DST: crypto failure Apr 15 15:19:31 SRV named[2463]: exiting (due to fatal error) Apr 15 15:19:31 SRV named[1722]: Starting name server BIND ..failed
Looks like CryptoDev module can't be loaded anymore. Additionally, there seem to be a problem with Apache / PHP.
Anyone have any idea about upgrade path? Apart from OpenSSL / ssh packages, what else need to be upgraded / installed ?
You need to revert your openSSL version with the one included in your distribution version. You upgraded (partially, apparently) openSSL 1.0.0x to 1.0.1x even though it is not needed to patch heartbleed. as you can see, that won't work. Also there is no binary compatibility promise between different openSSL branches (1.0.0x and 1.0.1x are different code streams) oh.. such promise also does not exist within openSUSE major releases, neither across distributions. i.e openSSL from Debian,Fedora, SUSE all enable or disable different features making the resulting libraries incompatible. Something has to be done about it, but you have to think 20 times before touching anything there, it an scary old dinosaur from the build system up,like playing Russian roulette but with code. ;-D -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Something has to be done about it, but you have to think 20 times before touching anything there, it an scary old dinosaur from the build system up,like playing Russian roulette but with code. ;-D
12.1 is a dinosaur? sad
-- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 15/04/14 21:40, Ruben Safir escribió:
Something has to be done about it, but you have to think 20 times before touching anything there, it an scary old dinosaur from the build system up,like playing Russian roulette but with code. ;-D
12.1 is a dinosaur?
sad
If you read my message carefully, I was talking about openSSL, not about a particular openSUSE release. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
andreil1 -
Cristian Rodríguez -
David Haller -
Johannes Weberhofer -
Marcus Meissner -
Peter Maffter -
Ruben Safir