Heartbleed
I'm freaking out with this heartbleed bug (see here).
Eagerly waiting for a patch to come out for Slackware. Thanks in advance to all the developers! |
|
My apologies. The OpenSSL patch came out 8 hours ago, not the Slackware patch.
|
Yes I know, I'm building a temporary package with the 1.0.1g source and the source package. Unfortunately the build fails at some point, though it is only for the documentation part (which I am disabling).
But not knowing all the implications (ie which other packages to rebuild), I will be much more confident when all PV's official patches are released. |
I've successfully built openssl-1.0.1g-x86_64-1_slack14.1.txz and openssl-solibs-1.0.1g-x86_64-1_slack14.1.txz using the source package for openssl-1.0.1f. All it took was to remove the previous tarball (openssl-1.0.1f.tar.gz) and drop in the new one openssl-1.0.1g .tar.gz
I'd put it on a server for others to download, but right now I do not want to ssh into any server not yet patched... at least my client is already clean. Now get all new passwords, ssl keys... what a nightmare! |
AFAIK pretty much everything in Slackware linking the openssl libraries does it with the dynamic ones, so you should be safe upgrading the openssl and openssl-solibs packages.
FYI, waiting for the official packages, I tried here building from slackware64-current's and slackware64-14.1's sources just substituting the tarball file (well, I got also the signature) and everything seems to have went fine (no problems with docs building like metageek reported). |
Quote:
|
Another example that the newest version isn't always the best version. Slackware 13.37 and below are not affected, because they use OpenSSL 0.9.8y.
|
Quote:
|
Yes, all passwords, and ssl keys need to be reset, and this is only on the clients. Servers have further problems with certificates. And all the goodies they keep might already have been taken (password DBs, SSNs, credit card numbers, bitcoins, the whole lot).
Before updating passwords and ssl keys I am not loggin in to any site of importance (ie banks, etc). I'm physically copying the updated packages using USB memory stick, not daring using ssh (since machines receiving them through ssh would not have been patched yet). |
After the upgrade, here is a check for processes that are still using the old version of SSL.
lsof -n | grep ssl | grep DEL |
regarding that, consider that /usr/lib$LIBDIRSUFFIX/libssl3.so, provided by the mozilla-nss package, is not openssl...
|
I tried upgrading it, the build failed :/
|
You can also rebuilt the current version but add this parameter so that heartbeats module will not be built: -DOPENSSL_NO_HEARTBEATS
|
Quote:
Code:
$ cd /tmp |
All times are GMT -5. The time now is 12:00 AM. |