Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread Alexandr Ciornii
A specially created server (
http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed
, in Russian: http://www.xakep.ru/post/62350/default.asp ) can send
similar request to client. But such attack has low probability.

2014-04-16 15:40 GMT+03:00  matthew.pers...@lazard.com:
 Does it matter if you are only using client-side SSL, if you are not running
 a server with Strawberry but just connecting to sites?

-- 
Alexandr Ciornii, http://chorny.net


Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread Matthew . Persico
Any reason why 5.18.2.2 excludes Math::Pari?

Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is 
the reason I converted TO Strawberry about three weeks ago.

Please advise...

--
Matthew O. Persico

Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136



From:   kmx k...@atlas.cz
To: win32-vanilla@perl.org
Date:   04/16/2014 01:31 AM
Subject:Re: StrawberryPerl and the OpenSSL heartbleed bug



Olivier,

You can try updated strawberry perl from:

http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi 

http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi

http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip

http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip

http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip

http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip


--
kmx

On 15.4.2014 0:36, kmx wrote:
Hi,

you can get updated openssl binaries from:
- http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/
- http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/

I am considering releasing strawberry perl 5.18.2.2 (with new openssl) 
before the end of April.

--
kmx

On 12.4.2014 20:45, Olivier Mengué wrote:
Hi,

You have probably heard of the now famous heartblead bug of the OpenSSL 
library.
http://heartbleed.com/

StrawberryPerl is bundled with a binary of the OpenSSL library so I'm 
wondering if StrawberryPerl is affected by the bug.

I had a look at the release notes of StrawberryPerl to look for the 
version number of the OpenSSL and all versions of StrawberryPerl since at 
least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed 
bug.

It would be helpful to have an official statement from the StrawberryPerl 
team regarding this issue and to display it prominently on the 
StrawberryPerl.com page.

Olivier Mengué
https://metacpan.org/author/DOLMEN




Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread kmx
The reason is simple - it does not build anymore as it is not able to find 
required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/


Try: cpanm Math::Pari -v

...
Getting GP/PARI from ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Not in this directory, now chdir('OLD')...
Did not find any file matching 
/((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via 
FTP

...
Not in this directory, trying 
`ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/OLD/'...
Did not find any file matching 
/((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via 
FTP.

...

In January 2014 the installation worked so that's why it is included in 
5.18.2.1 and not in 5.18.2.2


Another trouble with Math::Pari (in fact it is a trouble with underlying 
pari library) is that it has never built correctly with 64bit compiler on 
MS Windows.


--
kmx

On 16.4.2014 22:07, matthew.pers...@lazard.com wrote:

Any reason why 5.18.2.2 excludes Math::Pari?

Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is 
the reason I converted TO Strawberry about three weeks ago.


Please advise...

--
Matthew O. Persico

Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136



From: kmx k...@atlas.cz
To: win32-vanilla@perl.org
Date: 04/16/2014 01:31 AM
Subject: Re: StrawberryPerl and the OpenSSL heartbleed bug
---



Olivier,

You can try updated strawberry perl from:
_
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip_

--
kmx

On 15.4.2014 0:36, kmx wrote:
Hi,

you can get updated openssl binaries from:
- _http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/_
- _http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/_

I am considering releasing strawberry perl 5.18.2.2 (with new openssl) 
before the end of April.


--
kmx

On 12.4.2014 20:45, Olivier Mengué wrote:
Hi,

You have probably heard of the now famous heartblead bug of the OpenSSL 
library.

_http://heartbleed.com/_

StrawberryPerl is bundled with a binary of the OpenSSL library so I'm 
wondering if StrawberryPerl is affected by the bug.


I had a look at the release notes of StrawberryPerl to look for the 
version number of the OpenSSL and all versions of StrawberryPerl since at 
least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug.


It would be helpful to have an official statement from the StrawberryPerl 
team regarding this issue and to display it prominently on the 
StrawberryPerl.com page.


Olivier Mengué
_https://metacpan.org/author/DOLMEN_






Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread Jan Dubois
On Wed, Apr 16, 2014 at 1:46 PM, kmx k...@atlas.cz wrote:
 The reason is simple - it does not build anymore as it is not able to find
 required pari source tarball at
 ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/

Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):

--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
 }

 $base_url = ftp://$host$dir;;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
 print Getting GP/PARI from $base_url\n;

 eval {

Cheers,
-Jan


Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread kmx
Excellent, I have put patched version at 
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz


Simply run:

cpanm 
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz 
-v


--
kmx

On 16.4.2014 22:50, Jan Dubois wrote:

On Wed, Apr 16, 2014 at 1:46 PM, kmx k...@atlas.cz wrote:

The reason is simple - it does not build anymore as it is not able to find
required pari source tarball at
ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/

Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):

--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
  }

  $base_url = ftp://$host$dir;;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
  print Getting GP/PARI from $base_url\n;

  eval {

Cheers,
-Jan





Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread Olivier Mengué
2014-04-16 15:04 GMT+02:00 Alexandr Ciornii alexcho...@gmail.com:

 A specially created server (
 http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed
 , in Russian: http://www.xakep.ru/post/62350/default.asp ) can send
 similar request to client. But such attack has low probability.


It is not recommended to use such online services. Some really try to
capture as much as they can from your system.

Instead, use an open source offline solution that you run yourself for your
machine : pacemaker.
https://github.com/Lekensteyn/pacemaker

I verified that openssl bundled with StrawberryPerl 5.18.2.1 is vulnerable.
You can reproduce it like this (while pacemaker.py is running):
C:\strawberry\c\bin\openssl s_client -connect 127.0.0.1:4433


Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread Matthew . Persico
Suggestion - maybe you can pull the file that is being fetched (I assume 
its pari217.exe) and install it locally once and for all?  If the pari lib 
is found locally, will the build bother to attempt to go out and get it? I 
worry that someday, pari217.exe will disappear.
--
Matthew O. Persico

Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136



From:   kmx k...@atlas.cz
To: Win32 Perl mailing list win32-vanilla@perl.org
Date:   04/16/2014 05:21 PM
Subject:Re: StrawberryPerl and the OpenSSL heartbleed bug



Excellent, I have put patched version at 
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz


Simply run:

cpanm 
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
 
-v

--
kmx

On 16.4.2014 22:50, Jan Dubois wrote:
On Wed, Apr 16, 2014 at 1:46 PM, kmx k...@atlas.cz wrote:

The reason is simple - it does not build anymore as it is not able to find
required pari source tarball at
ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/


Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):

--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
 }

 $base_url = ftp://$host$dir;;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
 print Getting GP/PARI from $base_url\n;

 eval {

Cheers,
-Jan





Re: StrawberryPerl and the OpenSSL heartbleed bug

2014-04-16 Thread Jan Dubois
On Wed, Apr 16, 2014 at 2:35 PM,  matthew.pers...@lazard.com wrote:
 Suggestion - maybe you can pull the file that is being fetched (I assume its
 pari217.exe) and install it locally once and for all?  If the pari lib is
 found locally, will the build bother to attempt to go out and get it?

It is pari-2.1.7.tgz, but yes, if it is copied into the unpacked
Math-Pari distribution, then it won't try to download it during `perl
Makefile.PL` time.

Cheers,
-Jan