ssl panic about Heartbleed

Message

Carsten · #1 Post by **Carsten** » Sat 26 Apr 2014, 22:18

Hello all,
I wouldn‘t come here, if it wouldtn‘t seems to be that the German part of this forum is sleeping.

I hope someone is able to understand me nonetheless. I‘m new with puppy-precise_5.7.1 and just discovered that /etc/ssl folder and asked myself how can I know what to do about that ssl problem there is actally reported. Is it necessary now to change anything? There are also some files in /lib/modules/all-firmware/. What about them?

Carsten

rufwoof · #2 Post by **rufwoof** » Sat 26 Apr 2014, 23:25

In terminal type

openssl version

to see what version you are running

OpenSSL 1.0.1 - 1.0.1f are at risk

It looks like yours might be at risk. See this thread.

http://murga-linux.com/puppy/viewtopic. ... 780#770780

#3 Post by **Flash** » Sun 27 Apr 2014, 00:21

Is this about the Heartbleed thing?

Carsten · #4 Post by **Carsten** » Sun 27 Apr 2014, 00:36

Hi rufwoof and Flash,
yes, I thought of that heartbleed thing. My version is: OpenSSL 1.0.1 14 Mar 2012

cthisbear · #5 Post by **cthisbear** » Sun 27 Apr 2014, 01:15

" I wouldn‘t come here, if it wouldtn‘t seems to be that the German
part of this forum is sleeping. ""

:::::::::

VAKE UP.

There you are Carsten....Best I could do.

Chris.

Carsten · #6 Post by **Carsten** » Sun 27 Apr 2014, 01:46

cthisbear wrote:" I wouldn‘t come here, if it wouldtn‘t seems to be that the German
part of this forum is sleeping. ""

:::::::::

VAKE UP.

There you are Carsten....Best I could do.

Chris.

Hi Chris, well, I don't understand what you want to comunicate to me. Does it mean, that the sentence you quote is as mysterious as yours?
---------------
No definitions found for "vake", perhaps you mean:
gcide: Ake Vae Bake Cake Fake Hake Lake make Nake
Rake Sake Take Wake Vade vale Vane Vare vase
wn: bake cake fake hake lake make rake sake take wake
vale vane vase
moby-thes: bake cake fake make rake sake take wake
vale vase
easton: Bake Cake
bouvier: MAKE NAKE TAKE
devil: take
gaz2k-counties: Lake Wake
gaz2k-places: Kake Lake Rake Vale
afr-deu: vak
cro-eng: jake svake vage vaze
eng-ara: ake bake cake fake jake lake make rake sake
take wake vade vale vane vase
eng-cro: bake cake fake hake lake make rake sake take
wake vale vane vase
eng-cze: bake cake fake hake jake lake make rake sake
take wake vale vane vase
eng-hin: bake cake fake hake lake make rake sake take
wake vale vane vase
eng-swa: make sake wake
eng-tur: bake cake fake hake jake lake make rake sake
take wake vale vane vase
hun-eng: vak
nld-deu: vak
nld-eng: vak
nld-fra: vak
swa-eng: ake
tur-eng: vade vale vaka vaki
------------

mikeb · #7 Post by **mikeb** » Sun 27 Apr 2014, 10:38

The problem seems to affect servers it seems... the effect for us is that certain software may stop working because the server has changed its ssl arrangements... it has affect pidgin and curl so far for me.
The older 'safe' ssl is unfortunately not a cure though using nss from mozilla fixed pidgin in my case.

I guess there was a few geeks who climbed off their high horses after this was exposed and took quite a reality check.

Bear in mind its another potential weakness that no one had exploited and are not likely too since its known about now.

Mike

Carsten · #8 Post by **Carsten** » Sun 27 Apr 2014, 19:39

mikeb wrote:The problem seems to affect servers it seems... the effect for us is that certain software may stop working because the server has changed its ssl arrangements... it has affect pidgin and curl so far for me.
The older 'safe' ssl is unfortunately not a cure though using nss from mozilla fixed pidgin in my case.

I guess there was a few geeks who climbed off their high horses after this was exposed and took quite a reality check.

Bear in mind its another potential weakness that no one had exploited and are not likely too since its known about now.

Mike

Hello Mike, so you say, it's rather equal what version of OpenSSL we use as clients? But I've heard that it's possible to abuse heartbleed from and to both sides, server and client.

mikeb · #9 Post by **mikeb** » Sun 27 Apr 2014, 19:52

No, I was just mentioning that due to servers altering their ssl arrangements because of this, it does affect us as clients in some cases. (dropbox, yahoo chat as examples)

As to direct vunerability .. who knows... seems to be more of a server concern ... like many of these potential exploits no one is likely to persue it since its already known about

mike

Carsten · #10 Post by **Carsten** » Sun 27 Apr 2014, 20:33

mikeb wrote: ... it does affect us as clients in some cases. (dropbox, yahoo chat as examples)
mike

Does it affect us as clients in those cases (dropbox, yahoo chat...) in the same way, wheather we use this or that version of openssl?

mikeb · #11 Post by **mikeb** » Sun 27 Apr 2014, 20:40

If we do not use a version that agrees with the server then it does not work....or thats how it appears to be.

mike

cthisbear · #12 Post by **cthisbear** » Mon 28 Apr 2014, 02:08

" Hi Chris, well, I don't understand what you want to comunicate to me.
Does it mean, that the sentence you quote is as mysterious as yours? "

It's a new thing called Humour.

I just invented it.

VAKE UP .... means Wake up.
You did say >> German part of this forum is sleeping.

So a little tasteless on my behalf....but..............

Chris.

Carsten · #13 Post by **Carsten** » Mon 28 Apr 2014, 19:33

mikeb wrote:If we do not use a version that agrees with the server then it does not work....or thats how it appears to be.

mike

Hi Mike, main thing for me is, since some days my gmx-account doesn‘t work solid. Perhaps I should just sit and have a cup of tea, but I wondered what my task is in dependancy to that heartbleed at all.

Carsten

cthisbear wrote:...

It's a new thing called Humour.

I just invented it.

VAKE UP .... means Wake up.
You did say >> German part of this forum is sleeping.

So a little tasteless on my behalf....but..............

Chris.

Hi cthisbear, hm... I thought of humour... Why didn‘t you whrite „WAKE“ instead of „VAKE“?

Carsten

mikeb · #14 Post by **mikeb** » Mon 28 Apr 2014, 19:54

Ok my gmx account has been slow to connect recently...it may be unrelated.

If it was ssl incompatible it would not connect at all

mike

Carsten · #15 Post by **Carsten** » Mon 28 Apr 2014, 20:25

Ok, now the version that is installed on my client seems to be somtimes compatible to gmx. But do I get you right, it‘s not necessary to upgrade it, even when it‘s between the 1.0.1 and 1.0.1.f, those who are vulnerable, because communication between gmx and me doesn‘t save any crypted or uncrypted stuff that could read out on my machine?

mikeb · #16 Post by **mikeb** » Mon 28 Apr 2014, 20:38

I am not even sure what security is used with say thunderbird and gmx to be honest... never really taken much notice.... I suspect using mozilla nss/ssl but do not quote me.

mike

Carsten · #17 Post by **Carsten** » Mon 28 Apr 2014, 20:58

Yes, it depends on what kind of transportation our client software uses. Let‘s say it‘s using openssl, that‘s the point. Perhaps there is someone who knows more about that. However, thank you very much so far, Mike.

shinobar · #18 Post by **shinobar** » Mon 28 Apr 2014, 21:40

http://www.murga-linux.com/puppy/viewto ... 147#774147

Carsten · #19 Post by **Carsten** » Mon 28 Apr 2014, 22:21

Thank you, shinobar. Now, that‘s the result:

# openssl version -b
built on: Mon Apr 7 20:31:55 UTC 2014

# openssl version
OpenSSL 1.0.1 14 Mar 2012

What means the -b or why shows # openssl version still the old version?

mikeb · #20 Post by **mikeb** » Mon 28 Apr 2014, 22:57

Ok just had a look and thunderbird on here for the gmx account has using no authentication mechanism enabled. Again it probably is not using gnutls if authentication is used since thats not a dependency of the program.

mike

(old)Puppy Linux Discussion Forum

(old)Puppy Linux Discussion Forum

ssl panic about Heartbleed

ssl panic about Heartbleed

Against the Heat bleed: Fix PET for Precise Puppy