Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Installing Heartbleed patch

  1. #1
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Exclamation Installing Heartbleed patch

    Although I also just posted in the heartbleed thread in the Applications forum, I think this important enough to re-post here.

    If you're in the habit of running "zypper up" you <will not> patch your openssl if you already have openssl v1.0.1e installed (and if you regularly run zypper up this would be the case).

    You must also
    run the following to capture the heartbeat patch
    Code:
    zypper patch
    The only time "zypper patch" might be avoided is if you're installing openssl when it didn't exist before or you haven't updated your system for months.

    TSU

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,735

    Default Re: Installing Heartbleed patch

    I did simply YaST > Software > Online Update (also known as YaST Online Update or YOU) as I do reglary and it installed the patch. This is the same as zypper patch.

    But IMHO zypper up includes zypper patch. The problem is that I never use zypper up, thus I can not prove that zypper up does install this particular path. And you did alread zypper patch, thus unless you deinstall it, you can not repeat it to prove what you say.
    Henk van Velden

  3. #3
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,925
    Blog Entries
    14

    Default Re: Installing Heartbleed patch

    I already had the latest version installed, simply got an update. It could be forced from the spec. file IIRC.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Installing Heartbleed patch

    Is repeatable.

    As I described, if you already have openssl v 1.0.1e installed (current stable), it won't update to with the patch with simply "zypper up"
    Requires "zypper patch"

    If you don't have v 1.0.1e installed, then you'd be "newly installing 1.0.1e" which would mean you'd get the patch.

    Is easy to verify.
    No matter what method you normally use to update your system, after it runs run "zypper patch" and see if openssl v 1.0.1e is offered again.

    TSU

  5. #5
    Join Date
    Jun 2008
    Location
    The English Lake District. UK - GMT/BST
    Posts
    36,857
    Blog Entries
    20

    Default Re: Installing Heartbleed patch

    Considering I never do zypper patch and only zypper up

    Code:
    rpm -qa openssl
    openssl-1.0.1e-11.32.1.x86_64
    kernelcruncher@kernelcruncher:~> rpm -qi openssl
    Name        : openssl
    Version     : 1.0.1e
    Release     : 11.32.1
    Architecture: x86_64
    Install Date: Wed 09 Apr 2014 04:31:56 BST
    Group       : Productivity/Networking/Security
    Size        : 1310122
    License     : OpenSSL
    Signature   : RSA/SHA256, Tue 08 Apr 2014 11:05:25 BST, Key ID b88b2fd43dbdc284
    Source RPM  : openssl-1.0.1e-11.32.1.src.rpm
    Build Date  : Tue 08 Apr 2014 08:21:55 BST
    Build Host  : build08
    Relocations : (not relocatable)
    Packager    : http://bugs.opensuse.org
    Vendor      : openSUSE
    URL         : http://www.openssl.org/
    Summary     : Secure Sockets and Transport Layer Security
    Tumbleweed_KDE
    My Articles Was I any help? If yes: Click the star below

  6. #6
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    23,698
    Blog Entries
    1

    Default Re: Installing Heartbleed patch

    Quote Originally Posted by caf4926 View Post
    Considering I never do zypper patch and only zypper up

    Code:
    rpm -qa openssl
    openssl-1.0.1e-11.32.1.x86_64
    kernelcruncher@kernelcruncher:~> rpm -qi openssl
    Name        : openssl
    Version     : 1.0.1e
    Release     : 11.32.1
    Architecture: x86_64
    Install Date: Wed 09 Apr 2014 04:31:56 BST
    Group       : Productivity/Networking/Security
    Size        : 1310122
    License     : OpenSSL
    Signature   : RSA/SHA256, Tue 08 Apr 2014 11:05:25 BST, Key ID b88b2fd43dbdc284
    Source RPM  : openssl-1.0.1e-11.32.1.src.rpm
    Build Date  : Tue 08 Apr 2014 08:21:55 BST
    Build Host  : build08
    Relocations : (not relocatable)
    Packager    : http://bugs.opensuse.org
    Vendor      : openSUSE
    URL         : http://www.openssl.org/
    Summary     : Secure Sockets and Transport Layer Security
    Same here. (I only ever run zypper up.)

  7. #7

    Default Re: Installing Heartbleed patch

    Quote Originally Posted by deano_ferrari View Post
    Same here. (I only ever run zypper up.)
    Same here.

    And this is of course how "zypper up" is designed to work.

    IMHO, if you don't get the fixed "libopenssl1_0_0" package with "zypper up", you either don't have the update repo in your repo list (but then you would not get it with "zypper patch" either of course), or you installed it from a different repo than the standard OSS one. ("vendor stickiness")

    Quote Originally Posted by tsu2 View Post
    If you don't have v 1.0.1e installed, then you'd be "newly installing 1.0.1e" which would mean you'd get the patch.
    I doubt that anybody here did install the package newly.
    It is required by so many other packages (directly or indirectly), that you wouldn't be able to boot your system without it.
    Just try to uninstall it as a test, zypper says this on my system: (I omitted the list of packages that are going to be removed, because it was too long, but I guess you should see the point)
    Code:
    # zypper rm libopenssl1_0_0
    Loading repository data
    Reading installed packages...
    Resolving package dependencies...
    
    The following 4 NEW packages are going to be installed:
      emacs-nox gcc-gij gcc48-gij java-1_5_0-gcj-compat 
    
    The following 2770 packages are going to be REMOVED:
    ...
    The following package is going to be downgraded:
      libtotem-plparser-mini18 
    
    1 package to downgrade, 4 new, 2770 to remove.
    Overall download size: 1.8 MiB. After the operation, 8.6 GiB will be freed.
    Continue? [y/n/p/? shows all options] (y):

  8. #8
    Join Date
    Jun 2008
    Location
    UK
    Posts
    5,500

    Default Re: Installing Heartbleed patch

    Quote Originally Posted by caf4926 View Post
    Considering I never do zypper patch and only zypper up

    Code:
    rpm -qa openssl
    openssl-1.0.1e-11.32.1.x86_64
    kernelcruncher@kernelcruncher:~> rpm -qi openssl
    Name        : openssl
    Version     : 1.0.1e
    Release     : 11.32.1
    Architecture: x86_64
    Install Date: Wed 09 Apr 2014 04:31:56 BST
    Group       : Productivity/Networking/Security
    Size        : 1310122
    License     : OpenSSL
    Signature   : RSA/SHA256, Tue 08 Apr 2014 11:05:25 BST, Key ID b88b2fd43dbdc284
    Source RPM  : openssl-1.0.1e-11.32.1.src.rpm
    Build Date  : Tue 08 Apr 2014 08:21:55 BST
    Build Host  : build08
    Relocations : (not relocatable)
    Packager    : http://bugs.opensuse.org
    Vendor      : openSUSE
    URL         : http://www.openssl.org/
    Summary     : Secure Sockets and Transport Layer Security
    Exactly the same here except my openssl Install Date was 08 Apr. This is on Tumbleweed where "zypper dup" takes care of all updates including patches.

    Just ran "zypper patch": Nothing to do.
    Leap 42.3 (ext4, KDE Plasma 5.8.7) ~ stable
    Manjaro (ext4, Xfce) ~ rolling updates
    Tumbleweed (ext4, KDE Plasma5) ~ managed updates via "Tumbleweed Snapshots" service.

  9. #9
    Join Date
    Jun 2008
    Location
    UK
    Posts
    5,500

    Default Re: Installing Heartbleed patch

    Quote Originally Posted by tsu2 View Post
    Is repeatable.

    As I described, if you already have openssl v 1.0.1e installed (current stable), it won't update to with the patch with simply "zypper up"
    Requires "zypper patch"
    How so? If it's already installed, as for most users, openssl would have been updated several times from Oss Updates repo (see below from/var/log/zypp/history). Therefore I don't get your scenario.

    Version 1.0.1e goes back to 12.3 at least, where actually I see it in my Tumbleweed's zypp log:
    Code:
    2013-09-21 16:24:18|install|openssl|1.0.1e-1.1.1|x86_64||openSUSE-12.3-1.7|4a9ea9efc93c42e6667550385313d887ed2d35b0efc40567b851d9ad4ec3de8e|
    Tumbleweed rolled on through to a rebase on 13.1 where openssl is installed from the standard Oss repo:
    Code:
    2013-11-20 13:41:07|install|openssl|1.0.1e-11.2.1|x86_64||openSUSE Current OSS|858b567d77246065cc499cd6a43f22cee7cfa475f6e2a354ca2d7235981d3a6d|
    Several openssl updates later this is the fourth:
    Code:
    2014-02-12 17:06:37|install|openssl|1.0.1e-11.24.1|x86_64||openSUSE Current OSS updates|81ae928f73029b8f00f2c790d8a2f3a35b2e63302de0cf8317dcf76f15af243e|
    Followed by the latest update (assuming patch included):
    Code:
    2014-04-08 16:02:33|install|openssl|1.0.1e-11.32.1|x86_64||openSUSE Current OSS updates|d51c904b72551604c57448525622b1325a24b5f194e2f5c97fe93dc0933d704b|
    If you don't have v 1.0.1e installed, then you'd be "newly installing 1.0.1e" which would mean you'd get the patch.

    Is easy to verify.
    Probably, but again that is an unlikely scenario if 13.1 is installed. So how did you reproduce and verify?
    Leap 42.3 (ext4, KDE Plasma 5.8.7) ~ stable
    Manjaro (ext4, Xfce) ~ rolling updates
    Tumbleweed (ext4, KDE Plasma5) ~ managed updates via "Tumbleweed Snapshots" service.

  10. #10
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,317

    Default Re: Installing Heartbleed patch

    On Thu, 10 Apr 2014 19:06:01 +0000, tsu2 wrote:

    > Although I also just posted in the heartbleed thread in the Applications
    > forum, I think this important enough to re-post here.
    >
    > If you're in the habit of running "zypper up" you <will not> patch your
    > openssl if you already have openssl v1.0.1e installed (and if you
    > regularly run zypper up this would be the case).
    >
    > You must also run the following to capture the heartbeat patch
    >
    > Code:
    > --------------------
    > zypper patch
    > --------------------
    >
    >
    > The only time "zypper patch" might be avoided is if you're installing
    > openssl when it didn't exist before or you haven't updated your system
    > for months.
    >
    > TSU


    One thing I noticed when updating my systems was that on one where I had
    the openssl debuginfo installed, the patch wasn't installed using zypper
    up. I had to specifically run "zypper patch" and then force it to remove
    the debuginfo patch for the patch to be installed.

    If you run "zypper pch" and search for "Needed" patches, that'll tell you
    if you have anything that wasn't applied by "zypper up" due to a conflict
    of some sort.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •