LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-16-2014, 02:40 AM   #1
czezz
Member
 
Registered: Nov 2004
Distribution: Slackware/Solaris
Posts: 935

Rep: Reputation: 44
OpenSSL Heartbleed and my old Slackware 12


I read recently about OpenSSL security bug.
I have checked me very old Slackware 12.0.0 installation.

OpenSSL version there is:
Code:
# openssl version
OpenSSL 0.9.8e 23 Feb 2007
According to OpenSSL Security Advisory - TLS heartbeat read overrun (CVE-2014-0160), previous versions (1.0.0 branch and older) are not vulnerable.

Nevertheless I would like to update my OpenSSL to the latest version.
I guess there is no package update for Slackware 12.
So, I was thinking to compile the latest one from sources. Does anyone know any guide how to do that ?

Last edited by czezz; 04-16-2014 at 07:39 AM.
 
Old 04-16-2014, 03:21 AM   #2
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Hi.

Upgrading to either the 1.0.0 or 1.0.1 branches will not be pain-free. There will be re-compiling of many other packages
involved so be sure that is what you want. Ask yourself if there's a feature missing in 0.9.8 that is critical for you.

Now, 12.0 is on OpenSSL 0.9.8x (not 0.9.8e) so you seem to not have applied all of 12.0's security updates.

If you decide to stay on 0.9.8, I recommend downloading Slackware 12.0's OpenSSL source files (from patches) and using
them to build 0.9.8y (not 0.9.8x).

--mancha

Last edited by mancha; 04-16-2014 at 03:24 AM.
 
1 members found this post helpful.
Old 04-16-2014, 04:45 AM   #3
czezz
Member
 
Registered: Nov 2004
Distribution: Slackware/Solaris
Posts: 935

Original Poster
Rep: Reputation: 44
I have just found this Slackware Security Advisories
http://www.slackware.com/security/vi...ecurity.533622
It says that for Slack 14 and 14.1 and -current it can be simply done with upgradepkg
Code:
Upgrade the packages as root:
# upgradepkg openssl-1.0.1g-i486-1_slack14.1.txz openssl-solibs-1.0.1g-i486-1_slack14.1.txz
I guess it will not work with my Slackware 12 at all ?

If so, I have found latest binary/packages openssl-0.9.8x available at http://packages.slackware.com/ ?
Im thinking to do upgradepkg and as 1.0.0 branch and older are not vulnerable I should be quite safe ?

Code:
openssl-0.9.8x-i486-1_slack12.0.tgz
openssl-solibs-0.9.8x-i486-1_slack12.0.tgz

Last edited by czezz; 04-16-2014 at 05:08 AM.
 
Old 04-16-2014, 05:11 AM   #4
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Upgrading to openssl-0.9.8x and openssl-solibs-0.9.8x is pain-free.. Feel free download them from the slackware repositories and use, for example:
Code:
upgradepkg openssl-0.9.8x-i486-1_slack12.0.tgz
to upgrade openssl package

Slackware maintained security updates for 12.0 (I don't think it still does now) version so everything from here: http://mirrors.slackware.com/slackwa...ches/packages/ should be useful for you...

Also, please search for slackpkg (I don't think it's included in slackware 12.0 by default) .. it will help you a lot..

If you want to further upgrade your system, you could consider upgrading step by step to 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, 14.1 .. But I would simply make backups of some setting, dbs and other stuff and do a fresh 14.1 install ..

Please be aware that installing the binaries of openssl-1.0.1g will most likely break your system (not render it unusable, but break it)... You could consider getting the sources from here, modify the slackbuild script and try to see if it compiles (then run upgradepkg on the resulting package), but changes are slim..

Last edited by Smokey_justme; 04-16-2014 at 05:12 AM.
 
Old 04-17-2014, 12:32 PM   #5
hendrickxm
Member
 
Registered: Feb 2014
Posts: 344

Rep: Reputation: Disabled
You could try to compile from source.
Grab all the source and patchfiles from:
http://ftp.slackware.com/pub/slackwa...rce/n/openssl/

You could skip the openssl0 directory. Then go to the directory containing the downloaded files.
If you already had 1.0.1g you had to edit the buildversion but this is not the case for 12.0
Run:
Code:
chmod +x openssl.Slackbuild
upgradepkg /tmp/openssl-...
I cannot test this since I use 14.1.
 
1 members found this post helpful.
Old 05-06-2014, 09:42 AM   #6
czezz
Member
 
Registered: Nov 2004
Distribution: Slackware/Solaris
Posts: 935

Original Poster
Rep: Reputation: 44
Good point Mancha.
I did like you said. I used openssl.SlackBuild to create package with latest source code for version openssl-0.9.8


Code:
# ls -al /var/log/packages/ | grep -i openssl
-rw-r--r--  1 root root   27951 2014-05-06 16:28 openssl-0.9.8y-i486-1_slack12.0
-rw-r--r--  1 root root    1602 2014-05-06 16:29 openssl-solibs-0.9.8y-i486-1_slack12.0
# openssl version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Sun May  4 23:25:27 CEST 2014
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -mtune=i686 -Wall -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
OPENSSLDIR: "/etc/ssl"
I am going to stay with 0.9.8 version as it is immune for Heartbleed.

@Hendrickxm - actually your link and dir openssl0 contains everything to build 0.9.8y

Last edited by czezz; 05-06-2014 at 09:43 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CVE-2014-0160: Heartbleed Bug: OpenSSL Vulnerability tronayne Linux - Security 66 04-21-2014 03:13 PM
LXer: Test Sites for Heartbleed OpenSSL Vulnerability LXer Syndicated Linux News 0 04-09-2014 01:00 PM
LXer: How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-016 LXer Syndicated Linux News 0 04-08-2014 10:20 AM
LXer: Heartbleed: Serious OpenSSL zero day vulnerability revealed LXer Syndicated Linux News 1 04-08-2014 07:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration