Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
GLSA 2014-07 differs from the openssl bug report
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
huuan
Apprentice
Apprentice


Joined: 19 Feb 2007
Posts: 265
Location: California

PostPosted: Thu Apr 10, 2014 9:00 pm    Post subject: GLSA 2014-07 differs from the openssl bug report Reply with quote

GLSA 20140-07 https://www.openssl.org/news/secadv_20140407.txt says:
Quote:
Vulnerable: < 1.0.1g

but
https://www.openssl.org/news/secadv_20140407.txt says:
Quote:
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.


due other issues I have been stuck at dev-libs/openssl-1.0.0j but GLSA-check is telling me that my server is vulnerable whereas the python test script + the opensssl bug
https://gist.github.com/sh1n0b1/10100394 says not.

Maybe the GLSA folks have it right?
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2984

PostPosted: Thu Apr 10, 2014 11:59 pm    Post subject: Re: GLSA 2014-07 differs from the openssl bug report Reply with quote

huuan wrote:
GLSA 20140-07 says:
Quote:
Vulnerable: < 1.0.1g

but secadv_20140407.txt says:
Quote:
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

huuan ... its late for me but these seem to be consistant, they refer to "releases" and so match a release (1.0.1[:alpha:] and 1.0.2-beta1 series).

huuan wrote:
due other issues I have been stuck at dev-libs/openssl-1.0.0j but GLSA-check is telling me that my server is vulnerable whereas the python test script + the opensssl bug says not.

This only effects TLS heartbeat so perhaps the 'test script' passes as you have this useflag disabled? I believe glsa-check only corrolates the package version, not the useflags enabled. Anyhow, it should only effect TLS, so if that isn't in use (ie, your only using openssh) then you shouldn't be effected (updating is no doubt a good idea none the less).

best ... khay
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9469

PostPosted: Fri Apr 11, 2014 1:29 am    Post subject: Reply with quote

I think huuan's point is that his version of OpenSSL is so old that it predates the introduction of the bug, but the GLSA is saying he is affected because his version is older than the first version with a non-vulnerable TLS heartbeat. It may be that the GLSA atom matching language is not complex enough to express the concept that only versions >A and also <B are affected.
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2984

PostPosted: Fri Apr 11, 2014 2:09 am    Post subject: Reply with quote

hu ... you're right, 1.0.0j I read as 1.0.1[:alpha:] ... having looked at the available packages and seeing 1.0.0j masked I'd seen that as the package being updated, not a seperate release, but of course the vunerable packages have been removed, not masked.

I guess the best thing to do in such cases is to not worry about glsa-check's advice :)

best ... khay
Back to top
View user's profile Send private message
huuan
Apprentice
Apprentice


Joined: 19 Feb 2007
Posts: 265
Location: California

PostPosted: Fri Apr 11, 2014 3:05 am    Post subject: Reply with quote

It makes sense that the GLSA don't have a > and <.
Our server had to stay downgraded with openssl due to a load balancer that our server required to interact with that couldn't renegotiate. Then once that was fixed I lacked the time to update. Turns out to have been a bonus in this instance.
Thanks for your help.
Back to top
View user's profile Send private message
Whome001
n00b
n00b


Joined: 12 Apr 2014
Posts: 7

PostPosted: Sat Apr 12, 2014 10:26 am    Post subject: Reply with quote

(I hope you find this post relevant enough to this topic)

I keep getting vulnerable warning from filippo.io test site.

I have run the usual emerge --sync, emerge -DuNa world, emerge --depclean, revdep-rebuild and
emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
and even emerge openssl recompilation. Rebooted the machine.

This is what openssl version says and filippo.io site gives a heartbleed warning. Should I trust something or something hidden blocking emerge openssl fix be applied. Ideas how can I see if 1.0.1g was applied on apache,ssh services? Do I need to recompile apache2 as well?

Code:
# openssl version -a
OpenSSL 1.0.2-beta1 24 Feb 2014
built on: Sat Apr 12 13:08:52 EEST 2014
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: x86_64-pc-linux-gnu-gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -O2 -pipe -fno-strict-aliasing -Wa,--noexecstack
OPENSSLDIR: "/etc/ssl"

# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild   R   *] dev-libs/openssl-1.0.2_beta1  USE="(sse2) tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" 0 kB
Total: 1 package (1 reinstall), Size of downloads: 0 kB
Would you like to merge these packages? [Yes/No]



http://filippo.io/Heartbleed/
https://forums.gentoo.org/viewtopic-t-988398-highlight-openssl.html
https://forums.gentoo.org/viewtopic-t-988198-highlight-openssl.html
Back to top
View user's profile Send private message
TomWij
Developer
Developer


Joined: 04 Jul 2012
Posts: 1553

PostPosted: Sat Apr 12, 2014 11:43 am    Post subject: Reply with quote

Code:
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"
[ebuild   R   *] dev-libs/openssl-1.0.2_beta1  USE="(sse2) tls-heartbeat zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" 0 kB


That is quite odd; but I think I see the issue, can you run `emerge -uDN dev-libs/openssl` instead?
The -u causes it to upgrade instead of reinstall, the D considers deep dependencies, the N makes sure you pick up USE flag changes.

An alternative way to make sure you are safe is to set USE="-tls-heartbeat" and do `emerge -N dev-libs/openssl`; that way the exploit is going, if you don't need the heartbeats.

The * in the output is also of concern; perhaps, there are some mask and/or unmask entries in /etc/portage/ that force you to have this version?
Back to top
View user's profile Send private message
khayyam
Advocate
Advocate


Joined: 07 Jun 2012
Posts: 2984

PostPosted: Sat Apr 12, 2014 12:42 pm    Post subject: Reply with quote

Whome001 wrote:
I keep getting vulnerable warning from filippo.io test site.

Whome001 ... yes, because =dev-libs/openssl-1.0.2-beta1 is also an effected package. That package is unkeyworded and so shouldn't be selected as a valid atom. Effectively its masked by missing keyword, and so you must have some "**" keywording.

Whome001 wrote:
Code:
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1g"

Note that not all packages > a specfic fixed package are necessarily also fixed. The above would have worked had you not had some keywording that allowed 1.0.2-beta1 to fulfil the ">". The following would provide the actual fixed package ...

Code:
# emerge --ask --oneshot --verbose =dev-libs/openssl-1.0.1g

... but you should really check your keywording.

best ... khay
Back to top
View user's profile Send private message
Whome001
n00b
n00b


Joined: 12 Apr 2014
Posts: 7

PostPosted: Sat Apr 12, 2014 3:15 pm    Post subject: Reply with quote

khayyam wrote:

Code:
# emerge --ask --oneshot --verbose =dev-libs/openssl-1.0.1g

... but you should really check your keywording.
best ... khay

Thx, this did the trick I'm safe now. Restarted sshd, mysql, apache2 and filippo.io says All good. I did not study masks or keywords why I had to use this command instead. Will do so later and double check after each emerge openssl is not silently backtracked.

Code:

# openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Sat Apr 12 18:08:16 EEST 2014
Back to top
View user's profile Send private message
Whome001
n00b
n00b


Joined: 12 Apr 2014
Posts: 7

PostPosted: Fri Jun 06, 2014 1:22 pm    Post subject: Reply with quote

Late late answer but found a reason my Portage system kept installing heartbleed affected OpenSSL library. Some of the previous emerge runs have inserted this line to /etc/portage/package.accept_keywords file. I took it out don't see any use for it anymore.

Quote:

# required by net-misc/wget-1.14[-gnutls,-static,ssl]
# required by @system
# required by @world (argument)
=dev-libs/openssl-1.0.2_beta1 **
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum