Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
On Tuesday, July 30, 2002, at 07:47 AM, Wichert Akkerman wrote: -BEGIN PGP SIGNED MESSAGE- - Debian Security Advisory DSA-136-1 [EMAIL PROTECTED] http://www.debian.org/security/ Wichert Akkerman July 30, 2002 - Package: openssl Problem type : multiple remote exploits Debian-specific: no CVE: CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659 [..snip..] These vulnerabilities are also present in Debian 2.2 (potato), but no fix is available at this moment. We recommend you upgrade your OpenSSL as soon as possible. Note that you should restart any daemons running SSL. (E.g., ssh or ssl-enabled apache.) Is there an ETA yet on potato packages, or should I continue to try and backport the woody packages to my potato machines myself? -- Paul Baker They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 GPG Key: http://homepage.mac.com/pauljbaker/public.asc
Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
On Thu, Aug 01, 2002 at 12:19:52PM -0500, Paul Baker wrote: Is there an ETA yet on potato packages, or should I continue to try and backport the woody packages to my potato machines myself? Just as an encouragement, the upgrade process from potato to woody is pretty painless. I've already done all my public facing machines without any real service downtime, need to reboot, etc. You'll only encounter issues if you have local compiles of packages, but you should know where those are. Taken in stages, apt-get install libc6 # do the core libc apt-get -u upgrade# do the easy to determine stuff apt-get -u dist-upgrade # do the rest, you can do these each by # hand too... Is managable, and won't result (at least in my cases) in any hard down time. Yes daemons to stop and restart during the process, so it's best to do these at during off-peak times. I've done about 6 machines so far, from firewalls, web, smtp, etc, and haven't had a single issue yet. -- Ted Deppner http://www.psyber.com/~ted/
Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
On Thursday, August 1, 2002, at 01:33 PM, Ted Deppner wrote: On Thu, Aug 01, 2002 at 12:19:52PM -0500, Paul Baker wrote: Is there an ETA yet on potato packages, or should I continue to try and backport the woody packages to my potato machines myself? Just as an encouragement, the upgrade process from potato to woody is pretty painless. I've already done all my public facing machines without any real service downtime, need to reboot, etc. Yeah it *should* be painless. Unfortuneately, we are using our own compiled apache, mod*, mysql, and a few other things in /usr/local. As part of the upgrade to woody though I want to start using only Debian versions of software. So there is a bit of extra testing/configuring involved to make that work. We also were using our own version of perl 5.6.1 in /usr/local. Want to start using Debian's 5.6.1. This also means that any locally installed CPAN modules will be in the wrong place to work with that perl, so there is further work involved in making sure that all the perl modules we are using get installed from woody, and if not, that we get them from sid, or make them ourselves. Further than that I also want to make all of our own companies software into Debian packages as part of the rollout of Woody. This is the long and painful part. It's more or less an all or nothing task, so there is a LOT of testing involved in making sure this transition is smooth so we don't have any downtime. And of course I understand that all of the above is not Debian's fault. But it is the reason I hope Debian supports Potato longer than they did slink because I have a ton of work ahead of me. :-) -- Paul Baker They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 GPG Key: http://homepage.mac.com/pauljbaker/public.asc
Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
On Thu, Aug 01, 2002 at 06:25:48PM -0500, Paul Baker wrote: Yeah it *should* be painless. Unfortuneately, we are using our own compiled apache, mod*, mysql, and a few other things in /usr/local. As part of the upgrade to woody though I want to start using only Debian versions of software. So there is a bit of extra testing/configuring involved to make that work. We also were using our own version of perl 5.6.1 in /usr/local. Want to start using Debian's 5.6.1. This also means that any locally installed CPAN modules will be in the wrong place to work with that perl, so there is further work involved in making sure that all the perl modules we are using get installed from woody, and if not, that we get them from sid, or make them ourselves. I've found all the CPAN modules I have needed exist in woody, but sometimes you need to be creative in figuring out the package name to look for, although 'apt-cache search' helps a lot. If you can't find a module you need, the dh-make-perl package automates the process for packaging a module. Bob Nielsen
Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
On Thu, Aug 01, 2002 at 05:07:14PM -0700, Bob Nielsen wrote: I've found all the CPAN modules I have needed exist in woody, but sometimes you need to be creative in figuring out the package name to look for, although 'apt-cache search' helps a lot. If you can't find a module you need, the dh-make-perl package automates the process for packaging a module. It also seems that Debian and CPAN have learned to live much more harmoniously than in the past. I used to be perl-porters regular so my first stop for Perl modules is CPAN to get the latest. This used to cause me no end of headaches... I had scripts that basically treated the debian package manager the way a lion tamer with a gun and chair treats a lion :-)
Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
On Thursday, August 1, 2002, at 06:35 PM, [EMAIL PROTECTED] wrote: You might find the checkinstall package to be of some use here. It's worked quite nicely for most things I've tried it for. That would be more of the quick short cut way of doing it which always seems to byte you in the ass later (perhaps when sarge is released). Also it expects you to be installing software that has 'make install' etc. Which our software doesn't necessarily have either. So as part of turning everything into debian packages, they will also get nice shiny Makefiles. -- Paul Baker They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 GPG Key: http://homepage.mac.com/pauljbaker/public.asc
Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
Hi, From: Paul Baker [EMAIL PROTECTED] Subject: Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems Date: Thu, 1 Aug 2002 20:04:24 -0500 On Thursday, August 1, 2002, at 06:35 PM, [EMAIL PROTECTED] wrote: You might find the checkinstall package to be of some use here. It's worked quite nicely for most things I've tried it for. That would be more of the quick short cut way of doing it which always seems to byte you in the ass later (perhaps when sarge is released). Also it expects you to be installing software that has 'make install' etc. Which our software doesn't necessarily have either. So as part of turning everything into debian packages, they will also get nice shiny Makefiles. Ah well. Good luck in any case.
Re: [SECURITY] [DSA-136-1] Multiple OpenSSL problems
These vulnerabilities are also present in Debian 2.2 (potato), but no fix is available at this moment. Is anybody willing to comment on a likely release of Potato packages to address this? Thanks, -- Andrew J. Stephen Phone +64 4 496 4484 Team Leader, Network Security Mobile +64 25 582 304 New Zealand PostFax+64 4 496 4914 Certainly, Windows XP is no Calista Flockhart. XP has so much pomp and circumstance that it's front-end weighs more than that of the cast of Baywatch. -- JonnyGURU, http://www.systemlogic.net/agurusworld/19/ This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way.