[opensuse] SuSE 12.1 and Heartbleed Bug
Hello, I am still running OpenSuSE 12.1 with 1.0.0k-34.20.1 openssl So I guess I won't get any update. Does compilation of a new version (described here: http://dl4oce.wordpress.com/2014/04/08/openssl-bug-heartbleed-beheben/ ) help? BR Pete -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
only openssl 1.0.1 and 1.0.1g are affected., not 1.0.0k. -- Later, Darin On Wed, Apr 9, 2014 at 4:04 PM, Peter Maffter <petermaffter@yahoo.de> wrote:
Hello,
I am still running OpenSuSE 12.1 with 1.0.0k-34.20.1 openssl So I guess I won't get any update.
Does compilation of a new version (described here: http://dl4oce.wordpress.com/2014/04/08/openssl-bug-heartbleed-beheben/ ) help?
BR Pete
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Darin Perusich <darin@darins.net> schrieb am 22:10 Mittwoch, 9.April 2014:
only openssl 1.0.1 and 1.0.1g are affected., not 1.0.0k.
Thanks. I just read http://heartbleed.com/ "What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable" BR -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work? Thanks Matt On 04/09/2014 04:18 PM, Peter Maffter wrote:
Darin Perusich <darin@darins.net> schrieb am 22:10 Mittwoch, 9.April 2014:
only openssl 1.0.1 and 1.0.1g are affected., not 1.0.0k. Thanks. I just read http://heartbleed.com/ "What versions of the OpenSSL are affected?
Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable"
BR
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/04/2014 01:22, Cristian Rodríguez a écrit :
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend
Will "zypper up" be enough ? Or within some time ? -- : ` _..-=-=-=-.._.--. Dsant, from Lyon, France `-._ ___,..-'" -~~` __') forum@votreservice.com jgs `'"---'"`>>"'~~"~"~~>>'` =====================```========```======== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On April 10, 2014 4:45:16 AM EDT, Dsant <forum@votreservice.com> wrote:
Le 10/04/2014 01:22, Cristian Rodríguez a écrit :
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider
]]]
[[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend Will "zypper up" be enough ? Or within some time ?
This is a critical bug/vulnerability with huge impacts. Maybe the worst to ever effect Linux, but it only affects the server side of a SSL connection as I understand it. For most opensuse users it is not an issue from an admin perspective. As users of the internet, this bug means everything transferred across the internet in the last 2 years that depended solely on SSL for security should be considered potentially breached. That assumes the server end of the connection was running a vulnerable version of openSSL, but as normal users you have to assume that. That means the best practice for all users (including MS users) is to change all passwords used on the internet and watch credit info closely. Then give your internet providers (isps/SAAS providers/banks/stores/auction sites) some time to fix their end and do it all again. I don't know how to test those providers to see if they are secure or not. I'm sure guidance will be forthcoming. Assuming you are running a server serving encrypted data via openSSL: Zypper up should be a superset of zypper patch, so yes it should get it but if this is important to you then don't just assume it will work. Get the openSSL patch, install it and read the description of the installed patch to make sure you have it. Then, if it is important to you, you have a security key you use in conjunction with openSSL to serve secure data. You should consider your key breached. That means that key needs to be replaced with a new one. That is manual work and you may have to go buy a new one if it is a registered key. It should be done after you get the openSSL security patch installed on every machine in your network that uses the same key and openSSL. Normally that is only one machine, but some web farms share a key between machines. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/10/2014 06:40 AM, Greg Freemyer wrote:
This is a critical bug/vulnerability with huge impacts. Maybe the worst to ever effect Linux, but it only affects the server side of a SSL connection as I understand it. For most opensuse users it is not an issue from an admin perspective.
Hi Greg, As I understand it, clients are also vulnerable if they connect to a compromised server using SSL. Note that this would include https web traffic, as well as secure POP/IMAP and SMTP Submission. So a compromised server would be able to suck private data from your local desktop without your knowing about it. Also, a completed and authenticated session to a remote server isn't required. A partial connection will suffice. <<< BIG QUESTION >>> What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1? Do/will RPMs be available for manual install? It looks like openSuSE 12.1 isn't affected and zipper fixes 12.3 and 13.1: zypper in -t patch openSUSE-2014-277 Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/04/2014 16:31, Lew Wolfgang a écrit :
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1?
let them run. I have servers running 12.1 because I never has time to update them. Of course nothing that have any value I had some years ago a 2010 server running debian 3.0, with very old hardware and a config nobody could uderstand why it worked... I replaced it when the hardware failed as far as I can see, the traffic of any of these servers is so low I don't thing they are compromised :-( - but I may be wrong jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/10/2014 07:36 AM, jdd wrote:
Le 10/04/2014 16:31, Lew Wolfgang a écrit :
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1?
let them run. I have servers running 12.1 because I never has time to update them. Of course nothing that have any value
I had some years ago a 2010 server running debian 3.0, with very old hardware and a config nobody could uderstand why it worked... I replaced it when the hardware failed
as far as I can see, the traffic of any of these servers is so low I don't thing they are compromised :-( - but I may be wrong
But my understanding is (hope I'm wrong!) that both servers and clients are affected. If you have a vulnerable SSL library on your home desktop and you happen to visit a compromised web server, that web server can exfiltrate all your RAM-resident data without your knowledge. I think that openSuSE 12.1 is okay and was never vulnerable. 12.2 and up are vulnerable. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Well... I applied the patches mentioned in the email I'd sent a few minutes ago to my 12.2 box, and after doing so, the heartbleed python script no longer flags it: user@computer:~/Desktop/heartbleed> python ssltest.py my.server Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 1286 ... received message: type = 22, ver = 0302, length = 525 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable So, I'm guessing it's ok? No odd issues as of yet. On an interesting note, 12.2 and 12.3 both run 1.0.1e out of the box, so it *should* be possible to port patches back and forth between the two, since the 12.3 update just patches 1.0.1e, and after patching, you're still on 1.0.1e. Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/10/14 16:31, Lew Wolfgang wrote:
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1? Do/will RPMs be available for manual install?
Several users on OBS built 1.0.1g. You need to klick on "Show unstable packages" (or similar) at the package search result page. Download openssl and libopenssl and install it. Don't forget to check if you also have libopenssl1_0_0-32bit installed if you have a 64bit system HTH, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Apr 10, 2014 at 10:39:02PM +0200, Joachim Schrod wrote:
On 04/10/14 16:31, Lew Wolfgang wrote:
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1? Do/will RPMs be available for manual install?
Several users on OBS built 1.0.1g. You need to klick on "Show unstable packages" (or similar) at the package search result page.
Download openssl and libopenssl and install it. Don't forget to check if you also have libopenssl1_0_0-32bit installed if you have a 64bit system
... Base:System has the 1.0.1g version. I think we should consider to just push 1.0.1g to 12.3 and 13.1 to reduce confusion. :/ CIao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner writes:
On Thu, Apr 10, 2014 at 10:39:02PM +0200, Joachim Schrod wrote:
On 04/10/14 16:31, Lew Wolfgang wrote:
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1? Do/will RPMs be available for manual install?
Several users on OBS built 1.0.1g. You need to klick on "Show unstable packages" (or similar) at the package search result page.
Download openssl and libopenssl and install it. Don't forget to check if you also have libopenssl1_0_0-32bit installed if you have a 64bit system
... Base:System has the 1.0.1g version.
Hmm, I don't see it at http://download.opensuse.org/repositories/Base:/System/openSUSE_13.1/x86_64/ Anyhow, GP asked for a 12.2 package which isn't there AFAIK. (And I have also some 12.2 VMs that I can't update for organizational reasons and wanted to patch.) Such packages are available in several home repositories. And anybody who doesn't update 12.2 does bad things security-wise anyhow. He or she will have to bite into more bad apples and install from a home repository...
I think we should consider to just push 1.0.1g to 12.3 and 13.1 to reduce confusion. :/
Yes, I think that's a very good idea, from a communication point of view. heartbleed.com and others tell users to identify their vulnerability by version number. People look at the updated packages and think they're still vulnerable. An update to 1.0.1g would mitigate that. In addition, when one searches at OBS for openssl, the result page is http://software.opensuse.org/package/openssl. The linked info page for 13.1 official update is about patchinfo 2424 and tells about a patch that has been applied 3 months ago. While a recent version is surely in the repositories, that isn't reflected in that info page, respectively the link on the search result page is wrong. Users searching for updates that are not subscribed to mailing list or at the forums might be led astray by that missing information update. Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi there Iused a patched openssl for opensuse 12.2 in the repo http://"http://download.opensuse.org...SUSE_Factory/" : rpm -qp --changelog http://download.opensuse.org/reposit...0.2.x86_64.rpm * Tue Apr 08 2014 dmueller@suse.com - update to 1.0.1g: * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) * Workaround for the "TLS hang bug" (see FAQ and PR#2771) I upgraded it and all seems to be okay. J.Karliak. Dne 11.4.2014 09:56, Joachim Schrod napsal(a):
Marcus Meissner writes:
On Thu, Apr 10, 2014 at 10:39:02PM +0200, Joachim Schrod wrote:
On 04/10/14 16:31, Lew Wolfgang wrote:
What can those users running openSuSE 12.2 do to fix the problem short of upgrading to 13.1? Do/will RPMs be available for manual install?
Several users on OBS built 1.0.1g. You need to klick on "Show unstable packages" (or similar) at the package search result page.
Download openssl and libopenssl and install it. Don't forget to check if you also have libopenssl1_0_0-32bit installed if you have a 64bit system
... Base:System has the 1.0.1g version.
Hmm, I don't see it at http://download.opensuse.org/repositories/Base:/System/openSUSE_13.1/x86_64/
Anyhow, GP asked for a 12.2 package which isn't there AFAIK. (And I have also some 12.2 VMs that I can't update for organizational reasons and wanted to patch.) Such packages are available in several home repositories. And anybody who doesn't update 12.2 does bad things security-wise anyhow. He or she will have to bite into more bad apples and install from a home repository...
I think we should consider to just push 1.0.1g to 12.3 and 13.1 to reduce confusion. :/
Yes, I think that's a very good idea, from a communication point of view.
heartbleed.com and others tell users to identify their vulnerability by version number. People look at the updated packages and think they're still vulnerable. An update to 1.0.1g would mitigate that.
In addition, when one searches at OBS for openssl, the result page is http://software.opensuse.org/package/openssl. The linked info page for 13.1 official update is about patchinfo 2424 and tells about a patch that has been applied 3 months ago. While a recent version is surely in the repositories, that isn't reflected in that info page, respectively the link on the search result page is wrong. Users searching for updates that are not subscribed to mailing list or at the forums might be led astray by that missing information update.
Cheers, Joachim
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 10/04/14 05:45, Dsant escribió:
Fixes has been released already for 13.1.. zypper patch is your best friend
Will "zypper up" be enough ? Or within some time ?
Unfortunately no. it will not be enough. If you run servers, you have to - revoke old ssl certs and install new ones - The users of such secure sites have to reset their passwords. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
FWIW, folks have compiled openSSL 1.0.1g for older versions of openSuSE out on OBS, so you can give it a shot at least. (As an example, Simmphonie has versions for 12.2, 12.3, 13.1, and Factory in both i586 and x86_64 variants.) For older versions, you *may* be able to fork their project and add build targets for other versions of oS. But like it's been commented before, this may work, or may not, or may appear to work but not really work. To give it a shot, you can run: rpm -qa | grep openssl to see what openSSL packages you have on your system; this will say like openssl-1.0.1e-1.44.1.i586 libopenssl1_0_0-1.0.1e-1.44.1.i586 In this case, you'd need both the openssl and libopenssl packages, available at http://software.opensuse.org/package/openssl http://software.opensuse.org/package/libopenssl1_0_0 When you go to the page, you'd hit "Show other versions" down at the bottom, expand out your desired version of oS, probably need to hit "Show unstable packages", then look for the desired version. Please note that unless the first column says like "Official Update," you're installing a package that someone else has put together, so there is always the potential for malicious code to be in there, so use at your own risk. You can click on their name to see the list of files that were included in the software and view the files though. Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
It is good to know that there is a fix, but.... On Wed, Apr 9, 2014 at 7:22 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend.
How is it that YaST does not seem to know about it? 'openssl version' reports version 1.0.12 from Feb. 11, 2013. I normally use just YaST and the notifications I get to apply any updates. Do Zypper and YaST play nicely together? I have never used Zypper before, so I read it's docs, and it seems 'zypper patch' will apply all available patches for anything that is installed (is that right?), but before I run it, I'd like to know if doing so will interfere, in a bad way, with my current use of YaST to apply updates. Cheers Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 10 Apr 2014 12:16:21 -0400 Ted Byers <r.ted.byers@gmail.com> пишет:
It is good to know that there is a fix, but....
On Wed, Apr 9, 2014 at 7:22 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend.
How is it that YaST does not seem to know about it? 'openssl version' reports version 1.0.12 from Feb. 11, 2013.
It must be a typo, this version does not yet exist.
I normally use just YaST and the notifications I get to apply any updates. Do Zypper and YaST play nicely together?
I have never used Zypper before, so I read it's docs, and it seems 'zypper patch' will apply all available patches for anything that is installed (is that right?), but before I run it, I'd like to know if doing so will interfere, in a bad way, with my current use of YaST to apply updates.
No. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thanks, see below: On Thu, Apr 10, 2014 at 12:34 PM, Andrey Borzenkov <arvidjaar@gmail.com> wrote:
В Thu, 10 Apr 2014 12:16:21 -0400 Ted Byers <r.ted.byers@gmail.com> пишет:
It is good to know that there is a fix, but....
On Wed, Apr 9, 2014 at 7:22 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend.
How is it that YaST does not seem to know about it? 'openssl version' reports version 1.0.12 from Feb. 11, 2013.
It must be a typo, this version does not yet exist.
Yes, that was a typo. It was supposed to be version 1.0.1e
I normally use just YaST and the notifications I get to apply any updates. Do Zypper and YaST play nicely together?
I have never used Zypper before, so I read it's docs, and it seems 'zypper patch' will apply all available patches for anything that is installed (is that right?), but before I run it, I'd like to know if doing so will interfere, in a bad way, with my current use of YaST to apply updates.
No.
Great, Thanks. Guess what I'll be doing after lunch. ;-) Thanks again. Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. TED@MERCHANTSERVICECORP.COM -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Apr 10, 2014 at 12:37 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
Thanks, see below:
On Thu, Apr 10, 2014 at 12:34 PM, Andrey Borzenkov <arvidjaar@gmail.com> wrote:
В Thu, 10 Apr 2014 12:16:21 -0400 Ted Byers <r.ted.byers@gmail.com> пишет:
It is good to know that there is a fix, but....
On Wed, Apr 9, 2014 at 7:22 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend.
How is it that YaST does not seem to know about it? 'openssl version' reports version 1.0.12 from Feb. 11, 2013.
It must be a typo, this version does not yet exist.
Yes, that was a typo. It was supposed to be version 1.0.1e
I normally use just YaST and the notifications I get to apply any updates. Do Zypper and YaST play nicely together?
I have never used Zypper before, so I read it's docs, and it seems 'zypper patch' will apply all available patches for anything that is installed (is that right?), but before I run it, I'd like to know if doing so will interfere, in a bad way, with my current use of YaST to apply updates.
No.
Great, Thanks. Guess what I'll be doing after lunch. ;-)
It only takes 10 seconds to pull this specific patch: sudo zypper in -t patch openSUSE-2014-277 Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Apr 10, 2014 at 12:51 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Thu, Apr 10, 2014 at 12:37 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
Thanks, see below:
On Thu, Apr 10, 2014 at 12:34 PM, Andrey Borzenkov <arvidjaar@gmail.com> wrote:
В Thu, 10 Apr 2014 12:16:21 -0400 Ted Byers <r.ted.byers@gmail.com> пишет:
It is good to know that there is a fix, but....
On Wed, Apr 9, 2014 at 7:22 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has their been a secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend.
How is it that YaST does not seem to know about it? 'openssl version' reports version 1.0.12 from Feb. 11, 2013.
It must be a typo, this version does not yet exist.
Yes, that was a typo. It was supposed to be version 1.0.1e
I normally use just YaST and the notifications I get to apply any updates. Do Zypper and YaST play nicely together?
I have never used Zypper before, so I read it's docs, and it seems 'zypper patch' will apply all available patches for anything that is installed (is that right?), but before I run it, I'd like to know if doing so will interfere, in a bad way, with my current use of YaST to apply updates.
No.
Great, Thanks. Guess what I'll be doing after lunch. ;-)
It only takes 10 seconds to pull this specific patch:
sudo zypper in -t patch openSUSE-2014-277
Greg
I tried that command, and it tells me that patch:openSUSE-2014-277 is already installed. I suppose YaST had picked it up. But openssl version still reports version 1.0.1e. Was the patch just applying the fix to version 1.0.1e, and not an upgrade to version 1.0.1g? As the machine I tried this on is not hosting a web service that is accessible outside my LAN, how can I check whether or not my system is vulnerable? (i.e. that the patch was properly applied and the version numbers displayed are just confusing?) Perhaps a Perl script (or, since this is my development machine, C++ source code that can be compiled and run)? I know I could Google this, but, given the severity of the vulnerability, I'd rather rely on recommendations from experts here rather than something from an unknown source (I really do not want to have to analyze a lot of source code to ensure it does not introduce something nasty to my system, especially since I am the furthest thing from a security systems engineer - I know nothing about openssl source or how it is supposed to work). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Apr 10, 2014 at 1:45 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
Great, Thanks. Guess what I'll be doing after lunch. ;-)
It only takes 10 seconds to pull this specific patch:
sudo zypper in -t patch openSUSE-2014-277
Greg
I tried that command, and it tells me that patch:openSUSE-2014-277 is already installed. I suppose YaST had picked it up. But openssl version still reports version 1.0.1e. Was the patch just applying the fix to version 1.0.1e, and not an upgrade to version 1.0.1g?
Use "sudo rpm -qa | grep ssl" to confirm you have the latest patched versions. This is the package list from the security announcement: - openSUSE 13.1 (i586 x86_64): libopenssl-devel-1.0.1e-11.32.1 libopenssl1_0_0-1.0.1e-11.32.1 libopenssl1_0_0-debuginfo-1.0.1e-11.32.1 openssl-1.0.1e-11.32.1 openssl-debuginfo-1.0.1e-11.32.1 openssl-debugsource-1.0.1e-11.32.1 - openSUSE 13.1 (x86_64): libopenssl-devel-32bit-1.0.1e-11.32.1 libopenssl1_0_0-32bit-1.0.1e-11.32.1 libopenssl1_0_0-debuginfo-32bit-1.0.1e-11.32.1 - openSUSE 13.1 (noarch): openssl-doc-1.0.1e-11.32.1 - openSUSE 12.3 (i586 x86_64): libopenssl-devel-1.0.1e-1.44.1 libopenssl1_0_0-1.0.1e-1.44.1 libopenssl1_0_0-debuginfo-1.0.1e-1.44.1 openssl-1.0.1e-1.44.1 openssl-debuginfo-1.0.1e-1.44.1 openssl-debugsource-1.0.1e-1.44.1 - openSUSE 12.3 (x86_64): libopenssl-devel-32bit-1.0.1e-1.44.1 libopenssl1_0_0-32bit-1.0.1e-1.44.1 libopenssl1_0_0-debuginfo-32bit-1.0.1e-1.44.1 - openSUSE 12.3 (noarch): openssl-doc-1.0.1e-1.44.1 Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 10 Apr 2014 13:45:17 -0400 Ted Byers <r.ted.byers@gmail.com> пишет:
version still reports version 1.0.1e. Was the patch just applying the fix to version 1.0.1e, and not an upgrade to version 1.0.1g?
Yes. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ted Byers 04/10/14 12:45 PM >>> On Thu, Apr 10, 2014 at 12:51 PM, Greg Freemyer wrote: On Thu, Apr 10, 2014 at 12:37 PM, Ted Byers wrote: Thanks, see below:
On Thu, Apr 10, 2014 at 12:34 PM, Andrey Borzenkov wrote:
В Thu, 10 Apr 2014 12:16:21 -0400 Ted Byers пишет:
It is good to know that there is a fix, but....
On Wed, Apr 9, 2014 at 7:22 PM, Cristian Rodríguez wrote:
El 09/04/14 19:53, Matt Darnell escribió:
[[[ To any NSA and FBI agents reading my email: please consider
]]]
[[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Question, has OpenSUSE 13.1 been affected by this? Also has
their been a
secure fix for this, and if their is a fix has it been tested and did it work?
Fixes has been released already for 13.1.. zypper patch is your best friend.
How is it that YaST does not seem to know about it? 'openssl version' reports version 1.0.12 from Feb. 11, 2013.
It must be a typo, this version does not yet exist.
Yes, that was a typo. It was supposed to be version 1.0.1e
I normally use just YaST and the notifications I get to apply any updates. Do Zypper and YaST play nicely together?
I have never used Zypper before, so I read it's docs, and it seems 'zypper patch' will apply all available patches for anything that
is
installed (is that right?), but before I run it, I'd like to know if doing so will interfere, in a bad way, with my current use of YaST to apply updates.
No.
Great, Thanks. Guess what I'll be doing after lunch. ;-)
It only takes 10 seconds to pull this specific patch:
sudo zypper in -t patch openSUSE-2014-277
Greg
I tried that command, and it tells me that patch:openSUSE-2014-277 is already installed. I suppose YaST had picked it up. But openssl :version still reports version 1.0.1e. Was the patch just applying the fix to version 1.0.1e, and not an upgrade to version 1.0.1g?
As the machine I tried this on is not hosting a web service that is accessible outside my LAN, how can I check whether or not my system is vulnerable? (i.e. that the patch was properly applied and the version numbers displayed are just confusing?) Perhaps a Perl script (or, since this is my development machine, C++ source code that can be compiled and run)? I know I could Google this, but, given the severity of the vulnerability, I'd rather rely on recommendations from experts here rather than something from an unknown source (I really do not want to have to analyze a lot of source code to ensure it does not introduce something nasty to my system, especially since I am the furthest thing from a security systems engineer - I know nothing about openssl source or how it is supposed to work).
Thanks
Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D.
You can download a copy of the ssltest python script here: http://pastebin.com/WmxzjkXJ then run it as: cmyers@chrismyers:~/Desktop/heartbleed> python ssltest.py my.millikin.edu and it should (hopefully) say something like: Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 53 ... received message: type = 22, ver = 0302, length = 1201 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/04/2014 20:28, Christopher Myers a écrit :
You can download a copy of the ssltest python script here:
then run it as:
cmyers@chrismyers:~/Desktop/heartbleed> python ssltest.py my.millikin.edu
I could never make this script work, may be bbecause copy/paste (in vim!) do not keep correct indentation? jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday 11 of April 2014 00:03:34 jdd wrote:
I could never make this script work, may be bbecause copy/paste (in vim!) do not keep correct indentation?
Try :set paste, then paste.
jdd Regards, Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 11/04/2014 07:11, auxsvr@gmail.com a écrit :
On Friday 11 of April 2014 00:03:34 jdd wrote:
I could never make this script work, may be bbecause copy/paste (in vim!) do not keep correct indentation?
Try :set paste, then paste.
in vi? oh, I didn't know this setup :-) thanks anyway I found a download button 'that I'm pretty sure was not here yesterday, may be due to server overload) and the script don't do anything on my site, probably because I do not use https and the script do not take this case into acount. python ssltest.py xxxx.org Connecting... Traceback (most recent call last): File "ssltest.py", line 136, in <module> main() File "ssltest.py", line 115, in main s.connect((args[0], opts.port)) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) socket.error: [Errno 111] Connection refused thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 10/04/14 14:45, Ted Byers escribió: Was the patch just applying the
fix to version 1.0.1e, and not an upgrade to version 1.0.1g?
Yes, unfortunately whoever made the patch decided not to update the openSSL version but just add a source code patch (not anticipating the myriad of questions we will get about it) -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Cristian Rodríguez <crrodriguez@opensuse.org> schrieb am 21:48 Donnerstag, 10.April 2014: El 10/04/14 14:45, Ted Byers escribió:
Was the patch just applying the
fix to version 1.0.1e, and not an upgrade to version 1.0.1g?
Yes, unfortunately whoever made the patch decided not to update the openSSL version but just add a source code patch (not anticipating the myriad of questions we will get about it)
I pointed to the same confusion on the raspberry forum ( http://www.raspberrypi.org/forums/viewtopic.php?p=533499#p533499 ) since Debian also does that: https://security-tracker.debian.org/tracker/CVE-2014-0160 and http://heartbleed.com/ does not seem to notice this. This WILL raise questions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, April 10, 2014 04:48:00 PM Cristian Rodríguez wrote:
El 10/04/14 14:45, Ted Byers escribió: Was the patch just applying the
fix to version 1.0.1e, and not an upgrade to version 1.0.1g?
Yes, unfortunately whoever made the patch decided not to update the openSSL version but just add a source code patch (not anticipating the myriad of questions we will get about it) Thanks I was just getting ready to ask that very question. I just install the update earlier. russ -- openSUSE 13.1(Linux 3.11.10-7-desktop x86_64| Intel(R) Quad Core(TM) i5-4440 CPU @ 3.10GHz|8GB DDR3| GeForce 8400GS (NVIDIA-Linux-x86_64-331.49)|KDE 4.12.4
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 11/04/14 19:13, upscope escribió:
Thanks I was just getting ready to ask that very question. I just install the update earlier. russ
A new update is on the queue, that upgrades openSSL to version 1.0.1g to clear this confusion. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-12 03:29, Cristian Rodríguez wrote:
El 11/04/14 19:13, upscope escribió:
Thanks I was just getting ready to ask that very question. I just install the update earlier. russ
A new update is on the queue, that upgrades openSSL to version 1.0.1g to clear this confusion.
Good thing! -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Friday, April 11, 2014 10:29:47 PM Cristian Rodríguez wrote:
El 11/04/14 19:13, upscope escribió:
Thanks I was just getting ready to ask that very question. I just install the update earlier. russ
A new update is on the queue, that upgrades openSSL to version 1.0.1g to clear this confusion. Thanks I'll keep my eyes open for it. -- openSUSE 13.1(Linux 3.11.10-7-desktop x86_64| Intel(R) Quad Core(TM) i5-4440 CPU @ 3.10GHz|8GB DDR3| GeForce 8400GS (NVIDIA-Linux-x86_64-331.49)|KDE 4.12.4
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Peter Maffter <petermaffter@yahoo.de> [04-09-14 16:07]:
I am still running OpenSuSE 12.1 with 1.0.0k-34.20.1 openssl So I guess I won't get any update.
Does compilation of a new version (described here: http://dl4oce.wordpress.com/2014/04/08/openssl-bug-heartbleed-beheben/ ) help?
Why would you expect "update"s for an out-of-support version. If you were running 5.0 you also would not get "update"s. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Patrick Shanahan <paka@opensuse.org> írta:
* Peter Maffter <petermaffter@yahoo.de> [04-09-14 16:07]:
I am still running OpenSuSE 12.1 with 1.0.0k-34.20.1 openssl So I guess I won't get any update.
Does compilation of a new version (described here: http://dl4oce.wordpress.com/2014/04/08/openssl-bug-heartbleed-beheben/ ) help?
Why would you expect "update"s for an out-of-support version. If you were running 5.0 you also would not get "update"s.
You do know, as everybody else, that he does not expect an update . The statement "So I guess I won't get any update." clearly indicates it. And the question following it clarifies it as well. That is, your comment was absolutely pointless and not helping. Istvan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 09/04/14 17:04, Peter Maffter escribió:
Hello,
I am still running OpenSuSE 12.1 with 1.0.0k-34.20.1 openssl So I guess I won't get any update.
Does compilation of a new version (described here: http://dl4oce.wordpress.com/2014/04/08/openssl-bug-heartbleed-beheben/ ) help?
Only openSSL 1.0.1x (not g) is vulnerable, also we do not release updates for that product anymore. If you upgrade your openSSL installation from 1.0.0k to 1.0.1g following that instructions (or any internet tutorial for that matter) your system is probably not gonna work anymore or mayor components will break as it is binary incompatible. Never attempt such upgrade unless you know exactly what you are doing.. in the best case scenario applications will not start at all..in the worst case they may appear to work but will have obscure glitches that may require PHD-level understanding of cryptography to debug. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (19)
-
Andrey Borzenkov -
auxsvr@gmail.com -
Carlos E. R. -
Christopher Myers -
Cristian Rodríguez -
Darin Perusich -
Dsant -
Greg Freemyer -
Istvan Gabor -
jdd -
Joachim Schrod -
Josef Karliak -
Lew Wolfgang -
Marcus Meissner -
Matt Darnell -
Patrick Shanahan -
Peter Maffter -
Ted Byers -
upscope