LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 04-07-2014, 10:50 PM   #1
metageek
Member
 
Registered: Jun 2007
Location: manchester, uk
Distribution: Slackware
Posts: 118

Rep: Reputation: 24
Heartbleed


I'm freaking out with this heartbleed bug (see here).

Eagerly waiting for a patch to come out for Slackware.

Thanks in advance to all the developers!
 
Old 04-07-2014, 10:55 PM   #2
BenCollver
Rogue Class
 
Registered: Sep 2006
Location: OR, USA
Distribution: Slackware 14.1
Posts: 161

Rep: Reputation: 51
A patch came out about 8 hours ago.

http://www.linuxquestions.org/questi...ml#post5148304

Last edited by BenCollver; 04-07-2014 at 10:57 PM. Reason: Correcting the URL
 
Old 04-07-2014, 11:01 PM   #3
BenCollver
Rogue Class
 
Registered: Sep 2006
Location: OR, USA
Distribution: Slackware 14.1
Posts: 161

Rep: Reputation: 51
My apologies. The OpenSSL patch came out 8 hours ago, not the Slackware patch.
 
Old 04-07-2014, 11:02 PM   #4
metageek
Member
 
Registered: Jun 2007
Location: manchester, uk
Distribution: Slackware
Posts: 118

Original Poster
Rep: Reputation: 24
Yes I know, I'm building a temporary package with the 1.0.1g source and the source package. Unfortunately the build fails at some point, though it is only for the documentation part (which I am disabling).

But not knowing all the implications (ie which other packages to rebuild), I will be much more confident when all PV's official patches are released.
 
Old 04-07-2014, 11:38 PM   #5
metageek
Member
 
Registered: Jun 2007
Location: manchester, uk
Distribution: Slackware
Posts: 118

Original Poster
Rep: Reputation: 24
I've successfully built openssl-1.0.1g-x86_64-1_slack14.1.txz and openssl-solibs-1.0.1g-x86_64-1_slack14.1.txz using the source package for openssl-1.0.1f. All it took was to remove the previous tarball (openssl-1.0.1f.tar.gz) and drop in the new one openssl-1.0.1g .tar.gz

I'd put it on a server for others to download, but right now I do not want to ssh into any server not yet patched... at least my client is already clean.

Now get all new passwords, ssl keys... what a nightmare!
 
Old 04-07-2014, 11:46 PM   #6
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,460

Rep: Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888
AFAIK pretty much everything in Slackware linking the openssl libraries does it with the dynamic ones, so you should be safe upgrading the openssl and openssl-solibs packages.

FYI, waiting for the official packages, I tried here building from slackware64-current's and slackware64-14.1's sources just substituting the tarball file (well, I got also the signature) and everything seems to have went fine (no problems with docs building like metageek reported).
 
1 members found this post helpful.
Old 04-07-2014, 11:53 PM   #7
metageek
Member
 
Registered: Jun 2007
Location: manchester, uk
Distribution: Slackware
Posts: 118

Original Poster
Rep: Reputation: 24
Quote:
Originally Posted by ponce View Post
AFAIK pretty much everything in Slackware linking the openssl libraries does it with the dynamic ones, so you should be safe upgrading the openssl and openssl-solibs packages.
Thanks for the info, this sounds good. I did manage to build now that I used the source package in the 14.1 patch folder (rather than the one on the original 14.1 source).
 
Old 04-07-2014, 11:54 PM   #8
jtsn
Member
 
Registered: Sep 2011
Location: Europe
Distribution: Slackware
Posts: 806

Rep: Reputation: 362Reputation: 362Reputation: 362Reputation: 362
Another example that the newest version isn't always the best version. Slackware 13.37 and below are not affected, because they use OpenSSL 0.9.8y.
 
3 members found this post helpful.
Old 04-08-2014, 12:04 AM   #9
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,460

Rep: Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888
Quote:
Originally Posted by ponce View Post
AFAIK pretty much everything in Slackware linking the openssl libraries does it with the dynamic ones, so you should be safe upgrading the openssl and openssl-solibs packages.
well, to avoid misunderstanding I have to specify (for the ones that haven't read mancha's post or the dedicated site) that when I said "you should be safe" I meant on the software side: like the reporters say, every certificate (server-side and client-side) is potentially compromised and must be regenerated and so, still potentially, are passwords trasmitted on services using openssl...

Last edited by ponce; 04-08-2014 at 12:13 AM.
 
1 members found this post helpful.
Old 04-08-2014, 12:18 AM   #10
metageek
Member
 
Registered: Jun 2007
Location: manchester, uk
Distribution: Slackware
Posts: 118

Original Poster
Rep: Reputation: 24
Yes, all passwords, and ssl keys need to be reset, and this is only on the clients. Servers have further problems with certificates. And all the goodies they keep might already have been taken (password DBs, SSNs, credit card numbers, bitcoins, the whole lot).

Before updating passwords and ssl keys I am not loggin in to any site of importance (ie banks, etc). I'm physically copying the updated packages using USB memory stick, not daring using ssh (since machines receiving them through ssh would not have been patched yet).
 
Old 04-08-2014, 12:26 AM   #11
BenCollver
Rogue Class
 
Registered: Sep 2006
Location: OR, USA
Distribution: Slackware 14.1
Posts: 161

Rep: Reputation: 51
After the upgrade, here is a check for processes that are still using the old version of SSL.

lsof -n | grep ssl | grep DEL
 
2 members found this post helpful.
Old 04-08-2014, 12:56 AM   #12
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,460

Rep: Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888
regarding that, consider that /usr/lib$LIBDIRSUFFIX/libssl3.so, provided by the mozilla-nss package, is not openssl...
 
Old 04-08-2014, 05:21 AM   #13
moisespedro
Member
 
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 959

Rep: Reputation: 108Reputation: 108
I tried upgrading it, the build failed :/
 
Old 04-08-2014, 06:09 AM   #14
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,579

Rep: Reputation: 431Reputation: 431Reputation: 431Reputation: 431Reputation: 431
You can also rebuilt the current version but add this parameter so that heartbeats module will not be built: -DOPENSSL_NO_HEARTBEATS
 
Old 04-08-2014, 09:43 AM   #15
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 1,874

Rep: Reputation: 920Reputation: 920Reputation: 920Reputation: 920Reputation: 920Reputation: 920Reputation: 920Reputation: 920
Quote:
Originally Posted by moisespedro View Post
I tried upgrading it, the build failed :/
Worked for me. Try this sequence:

Code:
$ cd /tmp
$ wget -R "openssl-1.0.1f.*" -nH --cut-dirs=3 -rl2 ftp://mirrors1.kernel.org/slackware/slackware-14.1/patches/source/openssl/
$ wget -P source/openssl https://www.openssl.org/source/openssl-1.0.1g.tar.gz
$ su -
# cd /tmp/source/openssl
# sh openssl.SlackBuild
At the end you should find two packages in your /tmp directory: openssl-1.0.1g and openssl-solibs-1.0.1g.

Last edited by ruario; 04-08-2014 at 09:48 AM. Reason: Added final sentence
 
1 members found this post helpful.
  


Reply

Tags
heartbleed


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -5. The time now is 08:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration