Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 44

Thread: opensuse 12.2 and ssh heartbleed.

  1. #21

    Default Re: opensuse 12.2 and ssl heartbleed.

    Quote Originally Posted by tsu2 View Post
    ...
    After running "zypper up" I have just run "zypper patch" and <only then> am I getting the patched openssl package.

    So, this is how people should update their systems to get the heartbleed patch...

    TSU
    Thank you, I didn't know to execute "patch".

    My 12.2 system still shows it is vulnerable to Heartbleed after applying this patch.

    The test sites I use are:
    http://filippo.io/Heartbleed/
    https://www.ssllabs.com/ssltest/

    Both site test results are showing "Fail"

    I watched my system update and upgrade. This is what I saw:
    Code:
    Retrieving package openssl-1.0.1e-2.25.1.x86_64                        (1/1), 515.8 KiB (  1.2 MiB unpacked)
    Retrieving: openssl-1.0.1e-2.25.1.x86_64.rpm ............................................[done (25.8 KiB/s)]
    Installing: openssl-1.0.1e-2.25.1 ....................................................................[done]
    Code:
    # rpm -qa | grep ssl
    docbook-dsssl-stylesheets-1.79-165.152.1.noarch
    openssl-1.0.1e-2.25.1.x86_64
    libopenssl-devel-1.0.1e-2.25.1.x86_64
    libopenssl1_0_0-1.0.1e-2.25.1.x86_64
    libopenssl1_0_0-32bit-1.0.1e-2.25.1.x86_64
    php5-openssl-5.3.15-1.20.1.x86_64
    Any idea what I missed and what I need to do from here? I need to get on an airplane and leave soon and can't afford the possible downtime from collateral damage an "update" to 12.3 might cause. I have to admit, I'm considering risking a broken upgrade to 12.3 anyway. This server is running a lot of different packages and processes, and at the moment, they're all working except for this Heartbleed issue. It was this issue which helped me discover 12.2 is no longer supported.

  2. #22
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,374
    Blog Entries
    1

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by tsu2 View Post
    Interesting.
    So, I just tested on my systems... although I ordinarily just run "zypper up" with the expectation that an update should provide superior protection and implement <all> recent improvements, in this case <it will not capture the heartbleed patch>.

    After running "zypper up" I have just run "zypper patch" and <only then> am I getting the patched openssl package.
    Running 'zypper up' was sufficient for me.

  3. #23

    Default Re: opensuse 12.2 and ssh heartbleed.

    Hi there
    I've found a patched openssl for opensuse 12.2 in the repo http://"http://download.opensuse.org...SUSE_Factory/" :
    rpm -qp --changelog http://download.opensuse.org/reposit...0.2.x86_64.rpm

    * Tue Apr 08 2014 dmueller@suse.com
    - update to 1.0.1g:
    * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299)
    * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945)
    * Workaround for the "TLS hang bug" (see FAQ and PR#2771)

    I upgraded it and all seems to be okay.

    J.Karliak.

  4. #24

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by karlijos View Post
    Hi there
    I've found a patched openssl for opensuse 12.2 in the repo "http://download.opensuse.org/repositories/Base:/System/openSUSE_Factory/" :
    rpm -qp --changelog http://download.opensuse.org/reposit...0.2.x86_64.rpm
    I would not recommend to install a Factory package on 12.2, and even less to add that repo.

    Use this repo f.e., it contains the (fixed) 12.3 packages built for 12.2:
    https://build.opensuse.org/package/s...ackage=openssl

    And yes, on 12.3 and 13.1 you should get the fixed packages by running "zypper up" as well. If you don't, you either don't have the update repo in your repo list, or you have not installed libopenssl-1_0_0 from the standard repo in the first place. (keyword "vendor stickiness")

  5. #25

    Default Re: opensuse 12.2 and ssh heartbleed.

    Is there any reason not to use that repo ? Just asking

  6. #26

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by karlijos View Post
    Is there any reason not to use that repo ? Just asking
    Yes, the packages in there are built for Factory, i.e. the testing branch of the next openSUSE version.

    Also it is in fact the development repo for Factory, so the packages in there might break at any time.

    And finally, the latest openssl packages might not be fully compatible to the ones shipped with 12.2 which would break _all_ your software that uses them.
    There is a reason why new versions of software are normally not released as official updates, only backported fixes.

    Why don't you just want to use the 12.2 packages that I pointed to?
    Again, those are the same as the 12.3 update, but built for 12.2.
    Last edited by wolfi323; 11-Apr-2014 at 05:57.

  7. #27
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: opensuse 12.2 and ssh heartbleed.

    On 2014-04-11 10:56, wolfi323 wrote:
    > I would not recommend to install a Factory package on 12.2, and even
    > less to add that repo.


    I read in passing a reference to the 12.2 package being built on a
    factory repo by someone. It might be this package. If it is, the package
    "might" be installed, but the repo should not be added. And I don't
    understand why it is there.

    This info is not verified.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #28

    Default Re: opensuse 12.2 and ssl heartbleed.

    Quote Originally Posted by craigarno View Post
    Thank you, I didn't know to execute "patch".

    The test sites I use are:
    http://filippo.io/Heartbleed/
    https://www.ssllabs.com/ssltest/

    ... Any idea what I missed and what I need to do from here?
    I hate to have to answer my own question, but I was finally able to get this patch installedin my 12.2 server, and it does work. Here's what I had to do:

    First go to http://software.opensuse.org/downloa...ackage=openssl and perform the 1-Click Install to get the right repro's configured. Then:
    Code:
    zypper in -f  openssl-1.0.1e-1.46.2.x86_64 libopenssl1_0_0-1.0.1e-1.46.2.x86_64
    
    /etc/init.d/apache2 restart
    Then I tested against http://filippo.io/Heartbleed/ and finally saw a "All good, xxxxx seems fixed or unaffected!"

    Thank you for this patch! Now I can go catch a plane and upgrade to 12.3 when I have more time to manage collateral upgrade damage. I know if I want to do this right I now need to upgrade certificate and change passwords on my site. Or run the risk that I'm tiny enough, nobody will care.

  9. #29
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,268
    Blog Entries
    2

    Default Re: opensuse 12.2 and ssh heartbleed.

    IMO this thread shows the severe problem with backporting a patch into an existing package version...
    Unless you test, you cannot be assured easily whether you have a version without certain patches or not. So, for instance I assumed for a long time that "zypper up" was sufficient and only looked further when I wasn't seeing the patched version installed on my machines. And, of course @craigarno ran tests to prove whether the patch was installed.

    If the patch is serious enough... and I think everyone can agree that heartbleed is in this category... then it's a bad idea to backport and so should require a new revision number, even if minor. The openssl project seems to understand this because the mainline release will have a new revision number (1.0.2, succeeding all 1.0.1 versions).

    Perhaps the same policy should be integrated into openSUSE versioning, even if to add a custom minor revision number of our own. Of course whatever policy is adopted needs to be consistent with mainline versioning so as to automatically perform updates when mainline versions arrive(In a different open source project I subscribe to, they're experiencing severe pains because their previous versioning caused update errors, so "live and learn").

    TSU

  10. #30
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,124

    Default Re: opensuse 12.2 and ssh heartbleed.

    I do not understand you at al. When I look with YaST > Software > Software Management, I find these versions for libopenssl:

    They are all on the Update repo and put there after the first one (the lowest in the list) was introduced on the release of openSUSE 13.1 in the OSS repo. As you can see, they all have different minor numbers. They are all the result of different backports over time. They can all easily be identified.

    As I said earlier, you can get the latest by YaST Online Update, or by zypper patch. You can also do zypper up because that will include zypper patch (and it will also install newer versions of packages you have on other repos than the standard OSS, non-OSS and Update repos).

    Can you please xplain what sort of revision number you mean.
    Henk van Velden

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •