View previous topic :: View next topic |
Author |
Message |
huuan Apprentice
Joined: 19 Feb 2007 Posts: 265 Location: California
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu Apr 10, 2014 11:59 pm Post subject: Re: GLSA 2014-07 differs from the openssl bug report |
|
|
huuan wrote: | GLSA 20140-07 says:
Quote: | Vulnerable: < 1.0.1g |
but secadv_20140407.txt says:
Quote: | Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. |
|
huuan ... its late for me but these seem to be consistant, they refer to "releases" and so match a release (1.0.1[:alpha:] and 1.0.2-beta1 series).
huuan wrote: | due other issues I have been stuck at dev-libs/openssl-1.0.0j but GLSA-check is telling me that my server is vulnerable whereas the python test script + the opensssl bug says not. |
This only effects TLS heartbeat so perhaps the 'test script' passes as you have this useflag disabled? I believe glsa-check only corrolates the package version, not the useflags enabled. Anyhow, it should only effect TLS, so if that isn't in use (ie, your only using openssh) then you shouldn't be effected (updating is no doubt a good idea none the less).
best ... khay |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21605
|
Posted: Fri Apr 11, 2014 1:29 am Post subject: |
|
|
I think huuan's point is that his version of OpenSSL is so old that it predates the introduction of the bug, but the GLSA is saying he is affected because his version is older than the first version with a non-vulnerable TLS heartbeat. It may be that the GLSA atom matching language is not complex enough to express the concept that only versions >A and also <B are affected. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Apr 11, 2014 2:09 am Post subject: |
|
|
hu ... you're right, 1.0.0j I read as 1.0.1[:alpha:] ... having looked at the available packages and seeing 1.0.0j masked I'd seen that as the package being updated, not a seperate release, but of course the vunerable packages have been removed, not masked.
I guess the best thing to do in such cases is to not worry about glsa-check's advice :)
best ... khay |
|
Back to top |
|
|
huuan Apprentice
Joined: 19 Feb 2007 Posts: 265 Location: California
|
Posted: Fri Apr 11, 2014 3:05 am Post subject: |
|
|
It makes sense that the GLSA don't have a > and <.
Our server had to stay downgraded with openssl due to a load balancer that our server required to interact with that couldn't renegotiate. Then once that was fixed I lacked the time to update. Turns out to have been a bonus in this instance.
Thanks for your help. |
|
Back to top |
|
|
Whome001 n00b
Joined: 12 Apr 2014 Posts: 10
|
Posted: Sat Apr 12, 2014 10:26 am Post subject: |
|
|
(I hope you find this post relevant enough to this topic)
I keep getting vulnerable warning from filippo.io test site.
I have run the usual emerge --sync, emerge -DuNa world, emerge --depclean, revdep-rebuild and
emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
and even emerge openssl recompilation. Rebooted the machine.
This is what openssl version says and filippo.io site gives a heartbleed warning. Should I trust something or something hidden blocking emerge openssl fix be applied. Ideas how can I see if 1.0.1g was applied on apache,ssh services? Do I need to recompile apache2 as well?
Code: | # openssl version -a
OpenSSL 1.0.2-beta1 24 Feb 2014
built on: Sat Apr 12 13:08:52 EEST 2014
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: x86_64-pc-linux-gnu-gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -O2 -pipe -fno-strict-aliasing -Wa,--noexecstack
OPENSSLDIR: "/etc/ssl"
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R *] dev-libs/openssl-1.0.2_beta1 USE="(sse2) tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" 0 kB
Total: 1 package (1 reinstall), Size of downloads: 0 kB
Would you like to merge these packages? [Yes/No]
|
http://filippo.io/Heartbleed/
https://forums.gentoo.org/viewtopic-t-988398-highlight-openssl.html
https://forums.gentoo.org/viewtopic-t-988198-highlight-openssl.html |
|
Back to top |
|
|
TomWij Retired Dev
Joined: 04 Jul 2012 Posts: 1553
|
Posted: Sat Apr 12, 2014 11:43 am Post subject: |
|
|
Code: | # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
[ebuild R *] dev-libs/openssl-1.0.2_beta1 USE="(sse2) tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" 0 kB |
That is quite odd; but I think I see the issue, can you run `emerge -uDN dev-libs/openssl` instead?
The -u causes it to upgrade instead of reinstall, the D considers deep dependencies, the N makes sure you pick up USE flag changes.
An alternative way to make sure you are safe is to set USE="-tls-heartbeat" and do `emerge -N dev-libs/openssl`; that way the exploit is going, if you don't need the heartbeats.
The * in the output is also of concern; perhaps, there are some mask and/or unmask entries in /etc/portage/ that force you to have this version? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Sat Apr 12, 2014 12:42 pm Post subject: |
|
|
Whome001 wrote: | I keep getting vulnerable warning from filippo.io test site. |
Whome001 ... yes, because =dev-libs/openssl-1.0.2-beta1 is also an effected package. That package is unkeyworded and so shouldn't be selected as a valid atom. Effectively its masked by missing keyword, and so you must have some "**" keywording.
Whome001 wrote: | Code: | # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g" |
|
Note that not all packages > a specfic fixed package are necessarily also fixed. The above would have worked had you not had some keywording that allowed 1.0.2-beta1 to fulfil the ">". The following would provide the actual fixed package ...
Code: | # emerge --ask --oneshot --verbose =dev-libs/openssl-1.0.1g |
... but you should really check your keywording.
best ... khay |
|
Back to top |
|
|
Whome001 n00b
Joined: 12 Apr 2014 Posts: 10
|
Posted: Sat Apr 12, 2014 3:15 pm Post subject: |
|
|
khayyam wrote: |
Code: | # emerge --ask --oneshot --verbose =dev-libs/openssl-1.0.1g |
... but you should really check your keywording.
best ... khay |
Thx, this did the trick I'm safe now. Restarted sshd, mysql, apache2 and filippo.io says All good. I did not study masks or keywords why I had to use this command instead. Will do so later and double check after each emerge openssl is not silently backtracked.
Code: |
# openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Sat Apr 12 18:08:16 EEST 2014
|
|
|
Back to top |
|
|
Whome001 n00b
Joined: 12 Apr 2014 Posts: 10
|
Posted: Fri Jun 06, 2014 1:22 pm Post subject: |
|
|
Late late answer but found a reason my Portage system kept installing heartbleed affected OpenSSL library. Some of the previous emerge runs have inserted this line to /etc/portage/package.accept_keywords file. I took it out don't see any use for it anymore.
Quote: |
# required by net-misc/wget-1.14[-gnutls,-static,ssl]
# required by @system
# required by @world (argument)
=dev-libs/openssl-1.0.2_beta1 **
|
|
|
Back to top |
|
|
|