On Tue Jul 29, 2003 at 10:54:20AM -0700, Tru64 User wrote: > i checked my openssl, it was version 0.9.6x > (vulnerable) > MandrakeUpdate, does not offer its upgrade via > security updates.
What vulnerability are you thinking of, specifically? Is it this one: http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:035 AFAIK, there is 0.9.6x version of OpenSSL. Also keep in mind that we do not usually upgrade OpenSSL, but rather patch it so your version may not be vulnerable, although I am interested in knowing what vulnerability you are referring to. > OK. So? Download openssl-0.9.7b (No rpm available) > OK. Make one of my own (rpm -tb .....tar.gz), Fine. That's not a mandrake spec that is included in the tar.gz. It is probably not properly "libified" and rather uses RH's style of packaging. > Try installing (complains about conflicting stuff!) > rpm -e openssl-0.9.6* ;libopenssl0-0.9.6i-1.4mdk is > needed by a bunch of stuff. > So, I used rpm -i --force openssl-0.9.7b-..... This is already bad news. You've pretty much borked your system yourself by doing this. OpenSSL 0.9.6 and OpenSSL 0.9.7 are *not* compatible. Ahh... I see you have 0.9.6i and not 0.9.6x... so you are running either 9.0 or 8.2. The version is also the latest update that is out. So either there is a new vulnerability for openssl that we are not aware of, or you hosed your system for nothing (ie. that version of openssl is patched). Taking a quick trip to www.openssl.org... Ok, I see that 0.9.6j is out, but the openssl page says nothing about security fixes, just bugfixes. Unfortunately, the changelog on the site is kinda messed, so I'm downloading 0.9.6j to read the changelog. Aaargh... I should have saved myself the effort. 0.9.6j was released April 10th to fix those things we patched in March, using patches the openssl team provided. In other words, you borked your system for absolutely nothing. > OK, Good. But libopenssl0-0.9.6i-1.4mdk was not > overwritten! So? manually adjusted link for > libssl.so.0 to point to libssl.so.0.9.7 instead of > libssl.so.0.9.6, and likewise for libcrypto.so.0 > > OK. Good. Openssl upgraded. Not good. Very very bad. > #ssh otherhost; > OpenSSL version mismatch. Built against 90607f, you > have 90702f > > Arrrggghhhh.....i will have to built my own ssh then, Of course. You changed OpenSSL. OpenSSH must be built against the version of openssl on your system... which is why we *patch* OpenSSL instead of using the latest and greatest. > no rpm for 3.6p1 available. Try building my own: > rpm -tb openssh-3.6p1.tar.gz > error: x11-askpass.... missing. Again, not a mandrake spec. > Duh!! Downloaded that from some site: > one more try: error: failed build dependencies: > XFree86-imake is needed by openssh-3.6p1-2 > > Can't locate XFree86-imake rpm!! You wouldn't. That's a Red Hat thing based on a Red Hat spec. > Gave up making openssh rpm, I will perform manual > install: > ./configure --with-tcp-wrapper > Error; libwrap not found (I have tcp-wrapper rpm > installed though!!) Do you have tcp_wrappers-devel installed? That's probably what you need. > Google for libwrap library, found an rpm for it: > rpm -ivh libwrap-7.6.30.i386.rpm ; Error:error: failed > dependencies: > tcp_wrappers < 7.6-28 conflicts with libwrap-7.6-30 > > So, now I have to uninstall tcp_wrappers to install > libwrap > (If you are still reading, do you even remember the > original problem?????) Good grief man, you're trying to install a Red Hat rpm here too! What would possibly possess you to do that? > Why are things this complicated???? Because a) you made a silly assumption without verifying it, b) you're mixing and matching stuff from all over the place (ie. RH rpms), c) you're trying to use a version of openssl that nothing is built against (you'd have to rebuild a lot more than just openssh IIRC). If you would have bothered to find out just what you thought you were vulnerable to, asked here or on the discuss@ list prior to jumping on your journey of system-self-destruction, you would have been told (probably rather quickly) that the version of openssl you had originally installed was perfectly fine and *not* vulnerable. Resources such as MandrakeSecure (the website, discussion mailing lists, etc.) exist so people don't have to do things like this or, if they feel they need to, can at least be informed prior to doing it. I'm sorry to say that you made this complicated mess for absolutely no gain. =( -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
