Jori Mantysalo wrote:
On Mon, 14 Apr 2014, William Stein wrote:
That said, even if we plan to update it, for now I think we should
delete the openssl spkg asap anyways, since it contains the
vulnerability. - - it is now gone.
So what should one do to existing installations? After removing several
*ssl* files and directories
./sage -f pyopenssl
seems to still ba able to find and compile local openssl, not system-wide.
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately
upgrade can alternatively recompile OpenSSL with
-DOPENSSL_NO_HEARTBEATS.
(See https://www.openssl.org/news/secadv_20140407.txt )
Hence you could do
env CFLAGS="... -DOPENSSL_NO_HEARTBEATS" ./sage -f openssl
and
./sage -f pyopenssl
or
env SAGE_UPGRADING=yes make build
afterwards.
But looking at the 1.0.1a spkg (all later ones apparently vanished), the
first step might not work out of the box, i.e., you'd have to slightly
modify its spkg-install file (bash script), changing
make # in 1.0.1c and later, this line is "$MAKE"
to
$MAKE CFLAGS="$CFLAGS"
or, while we're at it, directly and once for all
$MAKE CFLAGS="$CFLAGS -DOPENSSL_NO_HEARTBEATS"
since otherwise OpenSSL's Makefile will presumably override the settings
from your environment. (I'm not sure what changed in the 1.0.1f.p0 spkg
version; probably you wouldn't have to modify that.)
Or you could try -- no guarantees that this works at all (with the
current pyOpenSSL spkg, say) -- using
./sage -f http://sagemath.org/packages/archive/openssl-1.0.0.p0.spkg
(and reinstalling pyopenssl etc. as above); versions prior to and
including 1.0.0 didn't have the heartbeat TLS extension.
In any case, don't forget to restart any running services using that
OpenSSL library.
-leif
P.S.: I'll probably provide a modified and / or updated OpenSSL spkg
later; to use a system-wide OpenSSL library from your distro, say, after
having built and used Sage's before, you'd have to delete some libraries
in $SAGE_ROOT/local/lib/, and presumably have to afterwards
rebuild/reinstall the Python spkg (not sure about that), and reinstall
PyOpenSSL.
--
() The ASCII Ribbon Campaign
/\ Help Cure HTML E-Mail
--
You received this message because you are subscribed to the Google Groups
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-support.
For more options, visit https://groups.google.com/d/optout.
