Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 44

Thread: opensuse 12.2 and ssh heartbleed.

  1. #31
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: opensuse 12.2 and ssh heartbleed.

    On 2014-04-11 20:26, tsu2 wrote:
    >
    > IMO this thread shows the severe problem with backporting a patch into
    > an existing package version...
    > Unless you test, you cannot be assured easily whether you have a version
    > without certain patches or not.


    A "test" that simply looks at the version, is broken. It can give you a
    false positive.

    And also gives you false negatives...


    You have to actually test for the vulnerability.


    > Perhaps the same policy should be integrated into openSUSE versioning,
    > even if to add a custom minor revision number of our own.


    Yes, this is being considered.

    Notice that updating to the latest upstream package is out of the question.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  2. #32

    Default Re: opensuse 12.2 and ssh heartbleed.

    As an engineer with 30 plus years of experience in design and documentation, I understand both your points. This is a sticky (and difficult) documentation issue.

    As "hcvv" points out openssl-1.0.1e-1.44.1.x86_64.rpm already does contain the revision number "tsu2" would like to see. It's the "1.44.1" part against openssl-1.0.1e. So this issue is covered, and has the added bonus of self documenting which "other vendor" software these changes are applied. i.e. it's a branch in the OpenSUSE revision control system. I like this approach, but it may not be self evident to some who are staring at a big identification string and wondering why the darn thing is so complex?

    If simplified too far, such as only incrementing only the primary number, then confusion is added which will require further documentation to sort out each version number, what was patched, and how it leapfrogged "newer" versions from an outside vendor. 1.0.1e is OpenSSL's number. 1.44.1 is OpenSUSE's number covering all the changes which had to be applied to make 1.0.1e work with everything else in the OpenSUSE system. Development is further complicated by OpenSUSE having to maintain different branches for different releases; 12.2, 12.3, 13.1, 13.2, multiplied by x86, x64, etc.

    As was said elsewhere in this thread, earlier systems probably don't want OpenSSL's 1.0.1g as it is likely to have interface (API) changes which will break existing software in existing systems using OpenSSL's 1.0.1e. And there is a -lot- of software which uses OpenSSL in a system; IMAPS, HTTPS, POPS, Asterisk, ... and on and on.

    The existing documentation system from my point of view works and covers existing need. Anything else is usually education about how things work.

    Peace guys.

  3. #33
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,005

    Default Re: opensuse 12.2 and ssh heartbleed.

    And this is why openSUSE should switch to a rolling distribution format.

    *runs for the hills wearing a flame proof suit*
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  4. #34
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,271

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by Miuku View Post
    And this is why openSUSE should switch to a rolling distribution format.

    *runs for the hills wearing a flame proof suit*
    One of the important reasons I use openSUSE is that it is not using a rolling release system.
    Henk van Velden

  5. #35

    Default Re: opensuse 12.2 and ssh heartbleed.

    I would like to add that I think the real issue tsu2 has is with zypper. "zypper up" wasn't able to "do the right thing" auto-magically with the new repo's. This is why I had to go look at the new 12.2 repository, get the actual names, then tell zypper to forcibly install the correct versions based on what I observed in the repository, and not supersede this choice with what zypper chose as a "newer" version which doesn't address this issue. Testing proved this.

    What we're looking at is a "corner condition" in zypper's design, just now newly identified. If you'd like to see zypper operate differently, as in get more design attention for this kind of corner condition, I suggest leaving a politely worded "Bug" for the team. This bug should be your best effort to explain the problem (this special case) in graphic detail with as many of your own assumptions explained as you can identify before saving. This is hard to do, but worth the time it takes. Otherwise the developer may be scratching their head wondering exactly what you meant and close your clever suggestion as "non-repro" because it was too vague to be actionable in development.

    Remember, you're communicating with someone who likes OpenSUSE as much as you do, who really does want to help you. Give them all the information and encouragement you can so we can all have a better product. And remember, "Stuff Happens". What matters is how you pick yourself up and keep going. Hopefully with as much grace and style as you can manage. And don't forget to smile.

  6. #36

    Default Re: opensuse 12.2 and ssh heartbleed.

    tsu2 wrote:

    >
    > IMO this thread shows the severe problem with backporting a patch into
    > an existing package version...
    > Unless you test, you cannot be assured easily whether you have a version
    > without certain patches or not. So, for instance I assumed for a long
    > time that "zypper up" was sufficient and only looked further when I
    > wasn't seeing the patched version installed on my machines. And, of
    > course @craigarno ran tests to prove whether the patch was installed.
    >
    > If the patch is serious enough... and I think everyone can agree that
    > heartbleed is in this category... then it's a bad idea to backport and
    > so should require a new revision number, even if minor. The openssl
    > project seems to understand this because the mainline release will have
    > a new revision number (1.0.2, succeeding all 1.0.1 versions).
    >
    > Perhaps the same policy should be integrated into openSUSE versioning,
    > even if to add a custom minor revision number of our own. Of course
    > whatever policy is adopted needs to be consistent with mainline
    > versioning so as to automatically perform updates when mainline versions
    > arrive(In a different open source project I subscribe to, they're
    > experiencing severe pains because their previous versioning caused
    > update errors, so "live and learn").
    >


    I agree with you in principle but I've been through enough of these goat-
    ropes to acquire a slightly different perspective. If you do a distribution
    update update you face a substantial testing/verification delay whereas the
    individual patch route allows for an almost instant response. Given that
    this case was simple enough to make just about everyone comfortable with the
    expected result, I see nothing wrong with end-running the established update
    protocol as oS did. Different story if the potential for side effects are
    larger but sometimes you just have to make a judgment call: response speed
    vs. code protocol .

    --
    Will Honea


  7. #37
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: opensuse 12.2 and ssh heartbleed.

    On 2014-04-11 22:16, hcvv wrote:
    >
    > Miuku;2636439 Wrote:
    >> And this is why openSUSE should switch to a rolling distribution format.
    >>
    >> *runs for the hills wearing a flame proof suit*

    > One of the important reasons I use openSUSE is that it is *not* using a
    > rolling release system.


    Same here.

    By the way, I have just read that there is a new update been prepared of
    openSSL to version 1.0.1g, to cover this "version" issue precisely. It
    is not yet available.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #38
    Join Date
    May 2012
    Location
    Planet Houston
    Posts
    64

    Default Re: opensuse 12.2 and ssh heartbleed.

    I am using opensuse 13.1. In looking through the Yast Control Center, I find three instances of openssl 1.0.1e-11.32.1. How can I tell if any of these is a patch for heartbleed?

  9. #39
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,110
    Blog Entries
    15

    Default Re: opensuse 12.2 and ssh heartbleed.

    On Sat 12 Apr 2014 09:16:02 PM CDT, MoeNeigh wrote:


    I am using opensuse 13.1. In looking through the Yast Control Center, I
    find three instances of openssl 1.0.1e-11.32.1. How can I tell if any of
    these is a patch for heartbleed?


    Hi
    Look at the changelog for the one that is installed...

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-7-desktop
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  10. #40
    Join Date
    May 2012
    Location
    Planet Houston
    Posts
    64

    Default Re: opensuse 12.2 and ssh heartbleed.

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Look at the changelog for the one that is installed...
    Thanks, Malcolm, I found this in the changelog for the latest update for 1.0.1e:

    - Fixed bug[ bnc#872299] CVE-2014-0160: openssl: missing bounds checks for heartbeat messages
    Add file: CVE-2014-0160.patch
    --George

Page 4 of 5 FirstFirst ... 2345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •