heartbleed ssl bug and ports or packages question
Hello, I'm not a developer but more of an openbsd hobbyist. I'm using current with current packages that are a few days old. I patched my openbsd servers and revoked all my ssl keys, generated new ones and changed every possible password. Even though, as far as I understood, you can't be sure credentials have not been read out of memory and your system has not been compromised at some point in the past. Anyway, I had a look at the following patch and was reading the comments: http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig and came across this line: Also recompile any statically-linked binaries depending on it F.ex. I use dovecot: # ldd `which dovecot` /usr/local/sbin/dovecot: StartEnd Type Open Ref GrpRef Name 04f81c50 04f81c913000 exe 10 0 /usr/local/sbin/dovecot 04fa2152c000 04fa219f4000 rlib 01 0 /usr/local/lib/dovecot/libdovecot.so.2.0 04fa1d89 04fa1dd7d000 rlib 01 0 /usr/lib/libc.so.74.0 04fa275a7000 04fa27aa4000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 04fa2bb0 04fa2bb0 rtld 01 0 /usr/libexec/ld.so The following library is not listed: /usr/lib/libssl.so.20.0 So I guess ssl was statically compiled in the dovecot package/port, as dovecot supports ssl and I currently use it. Is it possible to track which ports or packages have statically compiled in ssl support? Do I need to recompile/rebuild the port with the patched libssl library? or better ... but slower: Do I need to recompile every ports to be sure the bug can't be exploited on my openbsd systems? Thank you very much! Kind regards, Didier
Re: heartbleed ssl bug and ports or packages question
On Tue, Apr 08, 2014 at 07:26:06PM +0200, Didier Wiroth wrote: F.ex. I use dovecot: # ldd `which dovecot` /usr/local/sbin/dovecot: StartEnd Type Open Ref GrpRef Name 04f81c50 04f81c913000 exe 10 0 /usr/local/sbin/dovecot 04fa2152c000 04fa219f4000 rlib 01 0 /usr/local/lib/dovecot/libdovecot.so.2.0 04fa1d89 04fa1dd7d000 rlib 01 0 /usr/lib/libc.so.74.0 04fa275a7000 04fa27aa4000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 04fa2bb0 04fa2bb0 rtld 01 0 /usr/libexec/ld.so The following library is not listed: /usr/lib/libssl.so.20.0 So I guess ssl was statically compiled in the dovecot package/port, as dovecot supports ssl and I currently use it. Dovecot is composed of several programs. The program which uses SSL is the imap-login program: $ ldd /usr/local/libexec/dovecot/imap-login /usr/local/libexec/dovecot/imap-login: StartEnd Type Open Ref GrpRef Name 02f7ecf0 02f7ed307000 exe 10 0 /usr/local/libexec/dovecot/imap-login 02f9f4a02000 02f9f4e1d000 rlib 01 0 /usr/local/lib/dovecot/libdovecot-login.so.2.0 02f9ee22b000 02f9ee6fc000 rlib 02 0 /usr/local/lib/dovecot/libdovecot.so.2.0 02f9f5789000 02f9f5c72000 rlib 01 0 /usr/lib/libc.so.73.1 02f9f6bae000 02f9f700c000 rlib 01 0 /usr/lib/libssl.so.20.0 02f9f8e8b000 02f9f9445000 rlib 01 0 /usr/lib/libcrypto.so.23.0 02f9ed10 02f9ed5fe000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 02f9f250 02f9f250 rtld 01 0 /usr/libexec/ld.so Do I need to recompile/rebuild the port with the patched libssl library? No. You only need to restart your dovecot server after the upgrade.
Re: heartbleed ssl bug and ports or packages question
Didier Wiroth dwir...@gmail.com writes: Hello, I'm not a developer but more of an openbsd hobbyist. I'm using current with current packages that are a few days old. I patched my openbsd servers and revoked all my ssl keys, generated new ones and changed every possible password. Even though, as far as I understood, you can't be sure credentials have not been read out of memory and your system has not been compromised at some point in the past. Anyway, I had a look at the following patch and was reading the comments: http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig and came across this line: Also recompile any statically-linked binaries depending on it F.ex. I use dovecot: # ldd `which dovecot` /usr/local/sbin/dovecot: StartEnd Type Open Ref GrpRef Name 04f81c50 04f81c913000 exe 10 0 /usr/local/sbin/dovecot 04fa2152c000 04fa219f4000 rlib 01 0 /usr/local/lib/dovecot/libdovecot.so.2.0 04fa1d89 04fa1dd7d000 rlib 01 0 /usr/lib/libc.so.74.0 04fa275a7000 04fa27aa4000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 04fa2bb0 04fa2bb0 rtld 01 0 /usr/libexec/ld.so The following library is not listed: /usr/lib/libssl.so.20.0 So I guess ssl was statically compiled in the dovecot package/port, as dovecot supports ssl and I currently use it. /usr/local/sbin/dovecot is not the listener facing the network. ldd /usr/local/libexec/dovecot/imap-login Is it possible to track which ports or packages have statically compiled in ssl support? I can't think of a reliable way to do this. I doubt there are many of such ports. Do I need to recompile/rebuild the port with the patched libssl library? or better ... but slower: Do I need to recompile every ports to be sure the bug can't be exploited on my openbsd systems? Your call. Note that dpb makes it easy. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: heartbleed ssl bug and ports or packages question
Ok, thank you very much! Didier On 8 April 2014 19:44, Stefan Sperling s...@openbsd.org wrote: On Tue, Apr 08, 2014 at 07:26:06PM +0200, Didier Wiroth wrote: F.ex. I use dovecot: # ldd `which dovecot` /usr/local/sbin/dovecot: StartEnd Type Open Ref GrpRef Name 04f81c50 04f81c913000 exe 10 0 /usr/local/sbin/dovecot 04fa2152c000 04fa219f4000 rlib 01 0 /usr/local/lib/dovecot/libdovecot.so.2.0 04fa1d89 04fa1dd7d000 rlib 01 0 /usr/lib/libc.so.74.0 04fa275a7000 04fa27aa4000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 04fa2bb0 04fa2bb0 rtld 01 0 /usr/libexec/ld.so The following library is not listed: /usr/lib/libssl.so.20.0 So I guess ssl was statically compiled in the dovecot package/port, as dovecot supports ssl and I currently use it. Dovecot is composed of several programs. The program which uses SSL is the imap-login program: $ ldd /usr/local/libexec/dovecot/imap-login /usr/local/libexec/dovecot/imap-login: StartEnd Type Open Ref GrpRef Name 02f7ecf0 02f7ed307000 exe 10 0 /usr/local/libexec/dovecot/imap-login 02f9f4a02000 02f9f4e1d000 rlib 01 0 /usr/local/lib/dovecot/libdovecot-login.so.2.0 02f9ee22b000 02f9ee6fc000 rlib 02 0 /usr/local/lib/dovecot/libdovecot.so.2.0 02f9f5789000 02f9f5c72000 rlib 01 0 /usr/lib/libc.so.73.1 02f9f6bae000 02f9f700c000 rlib 01 0 /usr/lib/libssl.so.20.0 02f9f8e8b000 02f9f9445000 rlib 01 0 /usr/lib/libcrypto.so.23.0 02f9ed10 02f9ed5fe000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 02f9f250 02f9f250 rtld 01 0 /usr/libexec/ld.so Do I need to recompile/rebuild the port with the patched libssl library? No. You only need to restart your dovecot server after the upgrade. -- Didier Wiroth
Re: heartbleed ssl bug and ports or packages question
You should at least be able to know which of your packages have access to an SSL private key, and speak SSL. You also need to recursively check each library dovecot links to... That libdovecot looks like a likely candidate for linking ssl.so. That said, For dovecot, I THINK it uses dlopen at runtime to load ssl.so. You might try fstat on a running dovecot process that talks SSL. -- Matthew Weigel On Apr 8, 2014, at 12:26 PM, Didier Wiroth dwir...@gmail.com wrote: Hello, I'm not a developer but more of an openbsd hobbyist. I'm using current with current packages that are a few days old. I patched my openbsd servers and revoked all my ssl keys, generated new ones and changed every possible password. Even though, as far as I understood, you can't be sure credentials have not been read out of memory and your system has not been compromised at some point in the past. Anyway, I had a look at the following patch and was reading the comments: http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig and came across this line: Also recompile any statically-linked binaries depending on it F.ex. I use dovecot: # ldd `which dovecot` /usr/local/sbin/dovecot: StartEnd Type Open Ref GrpRef Name 04f81c50 04f81c913000 exe 10 0 /usr/local/sbin/dovecot 04fa2152c000 04fa219f4000 rlib 01 0 /usr/local/lib/dovecot/libdovecot.so.2.0 04fa1d89 04fa1dd7d000 rlib 01 0 /usr/lib/libc.so.74.0 04fa275a7000 04fa27aa4000 rlib 01 0 /usr/local/lib/libiconv.so.6.0 04fa2bb0 04fa2bb0 rtld 01 0 /usr/libexec/ld.so The following library is not listed: /usr/lib/libssl.so.20.0 So I guess ssl was statically compiled in the dovecot package/port, as dovecot supports ssl and I currently use it. Is it possible to track which ports or packages have statically compiled in ssl support? Do I need to recompile/rebuild the port with the patched libssl library? or better ... but slower: Do I need to recompile every ports to be sure the bug can't be exploited on my openbsd systems? Thank you very much! Kind regards, Didier