Re: [blfs-support] Heartbleed
On Tuesday 08 April 2014 18:02:38 Rob Taylor wrote: Heartbleed vulnerability http://www.openssl.org/news/vulnerabilities.html OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Suggest immediate revision to BLFS 7.5 OpenSSL-1.0.1f Thanks, Robert Taylor openssl is a package one generally installs early in the distribution-build process. To upgrade to say openssl-1.0.1g --(a) does one need to yank out the old say openssl-1.0.1 and install the new 1,0,1g and if so would there not be breakages? OR --(b) can one install openssl-1.0.1g over the old version of say openssl-1.0.1 ? advice from anyone on list will be much appreciated sincerely luxInteg -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-support] Heartbleed
On Wed, Apr 9, 2014 at 4:41 AM, lux-integ lux-in...@btconnect.com wrote: openssl is a package one generally installs early in the distribution-build process. To upgrade to say openssl-1.0.1g --(a) does one need to yank out the old say openssl-1.0.1 and install the new 1,0,1g and if so would there not be breakages? OR --(b) can one install openssl-1.0.1g over the old version of say openssl-1.0.1 ? advice from anyone on list will be much appreciated If any application was compiled with static openssl library, you have to recompile app in addition to installing a new shared lib/static. /alexey -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-support] Heartbleed
Alexey Orishko wrote: On Wed, Apr 9, 2014 at 4:41 AM, lux-integ lux-in...@btconnect.com wrote: openssl is a package one generally installs early in the distribution-build process. To upgrade to say openssl-1.0.1g --(a) does one need to yank out the old say openssl-1.0.1 and install the new 1,0,1g and if so would there not be breakages? OR --(b) can one install openssl-1.0.1g over the old version of say openssl-1.0.1 ? advice from anyone on list will be much appreciated If any application was compiled with static openssl library, you have to recompile app in addition to installing a new shared lib/static. I don't know of any packages in BLFS that use the static libraries by default or our instructions. Some users may, however have done that for themselves. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-support] Heartbleed
On Wed, Apr 09, 2014 at 03:41:16AM +0100, lux-integ wrote: openssl is a package one generally installs early in the distribution-build process. To upgrade to say openssl-1.0.1g --(a) does one need to yank out the old say openssl-1.0.1 and install the new 1,0,1g and if so would there not be breakages? OR --(b) can one install openssl-1.0.1g over the old version of say openssl-1.0.1 ? advice from anyone on list will be much appreciated With the instructions used in recent versions of BLFS (in particular, shared libraries), just drop it over the top. If you are _serving_ anything which links to openssl then you will need to bounce those services (i.e. stop them and restart them). For a desktop, I guess that closing the browser(s) and reopening those should be sufficient. ĸen -- das eine Mal als Tragödie, dieses Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-support] Heartbleed
On Tue, Apr 08, 2014 at 08:55:01PM +0100, Ken Moffat wrote: On Wed, Apr 09, 2014 at 03:41:16AM +0100, lux-integ wrote: openssl is a package one generally installs early in the distribution-build process. To upgrade to say openssl-1.0.1g --(a) does one need to yank out the old say openssl-1.0.1 and install the new 1,0,1g and if so would there not be breakages? OR --(b) can one install openssl-1.0.1g over the old version of say openssl-1.0.1 ? advice from anyone on list will be much appreciated With the instructions used in recent versions of BLFS (in particular, shared libraries), just drop it over the top. If you are _serving_ anything which links to openssl then you will need to bounce those services (i.e. stop them and restart them). For a desktop, I guess that closing the browser(s) and reopening those should be sufficient. ĸen Whoops, that is badly WRONG. At lwn.net [ thread https://lwn.net/Articles/593683/ - might be subscriber only ] someone suggests running this after the upgrade : grep -l 'libssl.*deleted' /proc/*/maps | tr -cd 0-9\\n | xargs -r ps u (as root) On my current desktop machine that shows the following : root 2206 0.0 0.0 37016 1260 ?Ss Apr06 0:00 /usr/sbin/cupsd -C /etc/cups/cupsd. root 2416 0.0 0.0 27736 512 ?Ss Apr06 0:00 /usr/lib/postfix/master -w postfix 2418 0.0 0.0 27968 668 ?SApr06 0:00 qmgr -l -t unix -u ken 2828 0.0 5.8 1384924 232188 ? Sl Apr06 1:37 /usr/lib/libreoffice/program/soffic So in my desktop case I need to bounce cups and postfix, and also to close my current LO documents. ĸen -- das eine Mal als Tragödie, dieses Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
Re: [blfs-support] Heartbleed
Would it be best to just restart your system after an upgrade? In the version of the book I have, it said something about an Xorg Server dependency being OpenSSL (thats why I install it right before Xorg). Douglas Reno -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
