Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Worked better than expected.
My explicit build of my local copy of your patched math pari didn't even
start because of a version compare coding error, but when I got to
net::sftp, cpanp found the local copy and it worked like a charm:
[MSG] Module 'Net::SSH::Perl' requires 'Math::Pari' version '2.001804' to
be installed
[MSG] Trying to get
'file:///E:/strawbuild/src/local/CPANVersionLock/Math-Pari-2.01080605_patched.tar.gz'
[MSG] Extracted 'Math::Pari' to
'E:\strawbuild\build\strawberry-perl-5.18.2.2-32bit-portable_20140418\data\.cpanplus\5.18.2\build\Math-Pari-2.01080605_patched'
Running
[E:\strawbuild\build\strawberry-perl-5.18.2.2-32bit-portable_20140418\perl\bin\perl.exe
-e use strict; BEGIN { my $old = select STDERR; $|++; select $old; $|++;
$0 = shift(@ARGV); my $rv = do($0); die $@ if $@; }
E:\strawbuild\build\strawberry-perl-5.18.2.2-32bit-portable_20140418\data\.cpanplus\5.18.2\build\Math-Pari-2.01080605_patched\Makefile.PL]...
Did not find GP/PARI build directory around.
Non-interactive session, autofetching...
Getting GP/PARI from ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Not in this directory, now chdir('OLD/2.1')...
Available golden versions: `2.1.0 2.1.4 2.1.6 2.1.3 2.1.2 2.1.5 2.1.1
2.1.7'
Latest supported golden is `pari-2.1.7.tgz'
Picking golden version 2.1.7, file pari-2.1.7.tgz
Downloading
`ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/pari-2.1.7.tgz'...
Downloaded...
Extracting...
gzip -dc pari-2.1.7.tgz | tar -xvf -
and on and on
thanks to kmx and jan for all your help
--
Matthew O. Persico
Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136
From: Matthew Persico/ITS/Lazard@Lazard NYC
To: kmx
Cc: Win32 Perl mailing list
Date: 04/17/2014 01:26 PM
Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug
I have my own local directories that cpanp knows about. I'm going to try
and put Math-Pari-2.01080605_patched.tar.gz in one of them and see if I
cannot coax cpanp to build locally. If not, Illl cpanm from your repo.
Can I assume that when 5.18.2.3 or whatever the next version is, the patch
will be in the main distribution?
Thanks.
--
Matthew O. Persico
Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136
From:kmx
To: Win32 Perl mailing list
Date:04/16/2014 05:21 PM
Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Excellent, I have put patched version at
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
Simply run:
cpanm
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
-v
--
kmx
On 16.4.2014 22:50, Jan Dubois wrote:
On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote:
The reason is simple - it does not build anymore as it is not able to find
required pari source tarball at
ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):
--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
}
$base_url = "ftp://$host$dir";;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
print "Getting GP/PARI from $base_url\n";
eval {
Cheers,
-Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On 17.4.2014 19:26, matthew.pers...@lazard.com wrote: I have my own local directories that cpanp knows about. I'm going to try and put _Math-Pari-2.01080605_patched.tar.g_z in one of them and see if I cannot coax cpanp to build locally. If not, Illl cpanm from your repo. Can I assume that when 5.18.2.3 or whatever the next version is, the patch will be in the main distribution? Yes -- kmx
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
I have my own local directories that cpanp knows about. I'm going to try
and put Math-Pari-2.01080605_patched.tar.gz in one of them and see if I
cannot coax cpanp to build locally. If not, Illl cpanm from your repo.
Can I assume that when 5.18.2.3 or whatever the next version is, the patch
will be in the main distribution?
Thanks.
--
Matthew O. Persico
Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136
From: kmx
To: Win32 Perl mailing list
Date: 04/16/2014 05:21 PM
Subject: Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Excellent, I have put patched version at
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
Simply run:
cpanm
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
-v
--
kmx
On 16.4.2014 22:50, Jan Dubois wrote:
On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote:
The reason is simple - it does not build anymore as it is not able to find
required pari source tarball at
ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):
--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
}
$base_url = "ftp://$host$dir";;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
print "Getting GP/PARI from $base_url\n";
eval {
Cheers,
-Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Never mind. I'm getting lesdyxic in my old age. Sent from my iPad > On Apr 16, 2014, at 18:52, "Jan Dubois" wrote: > > On Wed, Apr 16, 2014 at 3:37 PM, wrote: > > > > Folks, I just ftped to the link below and found pari.2.7.0.tar.gz. Isn't that > > what we're looking for or am I missing something? > > From http://cpansearch.perl.org/src/ILYAZ/Math-Pari-2.01080605/README: > > > (2.01080* still fully supports only 2.1.7, but mostly works with 2.3.* too.) > > There is a dev release with support for 2.3, but no indication that > anyone has ever managed to build with 2.7. Good luck! :) > > Cheers, > -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On Wed, Apr 16, 2014 at 3:37 PM, wrote: > > Folks, I just ftped to the link below and found pari.2.7.0.tar.gz. Isn't that > what we're looking for or am I missing something? >From http://cpansearch.perl.org/src/ILYAZ/Math-Pari-2.01080605/README: > (2.01080* still fully supports only 2.1.7, but mostly works with 2.3.* too.) There is a dev release with support for 2.3, but no indication that anyone has ever managed to build with 2.7. Good luck! :) Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Folks, I just ftped to the link below and found pari.2.7.0.tar.gz. Isn't that
what we're looking for or am I missing something?
Sent from my iPad
> On Apr 16, 2014, at 4:50 PM, "Jan Dubois" wrote:
>
> On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote:
> > The reason is simple - it does not build anymore as it is not able to find
> > required pari source tarball at
> > ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
>
> Here is a quick-and-dirty patch to work around this (but hard-wires
> you to 2.1.7):
>
> --- a/utils/Math/PariBuild.pm
> +++ b/utils/Math/PariBuild.pm
> @@ -301,7 +301,7 @@ EOP
> }
>
> $base_url = "ftp://$host$dir";;
> -my @extra_chdir = qw(OLD);
> +my @extra_chdir = qw(OLD/2.1);
> print "Getting GP/PARI from $base_url\n";
>
> eval {
>
> Cheers,
> -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On Wed, Apr 16, 2014 at 2:35 PM, wrote: > Suggestion - maybe you can pull the file that is being fetched (I assume its > pari217.exe) and install it locally once and for all? If the pari lib is > found locally, will the build bother to attempt to go out and get it? It is pari-2.1.7.tgz, but yes, if it is copied into the unpacked Math-Pari distribution, then it won't try to download it during `perl Makefile.PL` time. Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Suggestion - maybe you can pull the file that is being fetched (I assume
its pari217.exe) and install it locally once and for all? If the pari lib
is found locally, will the build bother to attempt to go out and get it? I
worry that someday, pari217.exe will disappear.
--
Matthew O. Persico
Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136
From: kmx
To: Win32 Perl mailing list
Date: 04/16/2014 05:21 PM
Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Excellent, I have put patched version at
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
Simply run:
cpanm
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
-v
--
kmx
On 16.4.2014 22:50, Jan Dubois wrote:
On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote:
The reason is simple - it does not build anymore as it is not able to find
required pari source tarball at
ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):
--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
}
$base_url = "ftp://$host$dir";;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
print "Getting GP/PARI from $base_url\n";
eval {
Cheers,
-Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
2014-04-16 15:04 GMT+02:00 Alexandr Ciornii : > A specially created server ( > http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed > , in Russian: http://www.xakep.ru/post/62350/default.asp ) can send > similar request to client. But such attack has low probability. > It is not recommended to use such online services. Some really try to capture as much as they can from your system. Instead, use an open source offline solution that you run yourself for your machine : pacemaker. https://github.com/Lekensteyn/pacemaker I verified that openssl bundled with StrawberryPerl 5.18.2.1 is vulnerable. You can reproduce it like this (while pacemaker.py is running): C:\strawberry\c\bin\openssl s_client -connect 127.0.0.1:4433
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Excellent, I have put patched version at
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
Simply run:
cpanm
http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz
-v
--
kmx
On 16.4.2014 22:50, Jan Dubois wrote:
On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote:
The reason is simple - it does not build anymore as it is not able to find
required pari source tarball at
ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):
--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
}
$base_url = "ftp://$host$dir";;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
print "Getting GP/PARI from $base_url\n";
eval {
Cheers,
-Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote:
> The reason is simple - it does not build anymore as it is not able to find
> required pari source tarball at
> ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Here is a quick-and-dirty patch to work around this (but hard-wires
you to 2.1.7):
--- a/utils/Math/PariBuild.pm
+++ b/utils/Math/PariBuild.pm
@@ -301,7 +301,7 @@ EOP
}
$base_url = "ftp://$host$dir";;
-my @extra_chdir = qw(OLD);
+my @extra_chdir = qw(OLD/2.1);
print "Getting GP/PARI from $base_url\n";
eval {
Cheers,
-Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
The reason is simple - it does not build anymore as it is not able to find
required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Try: cpanm Math::Pari -v
...
Getting GP/PARI from ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/
Not in this directory, now chdir('OLD')...
Did not find any file matching
/((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via
FTP
...
Not in this directory, trying
`ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/OLD/'...
Did not find any file matching
/((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via
FTP.
...
In January 2014 the installation worked so that's why it is included in
5.18.2.1 and not in 5.18.2.2
Another trouble with Math::Pari (in fact it is a trouble with underlying
pari library) is that it has never built correctly with 64bit compiler on
MS Windows.
--
kmx
On 16.4.2014 22:07, matthew.pers...@lazard.com wrote:
Any reason why 5.18.2.2 excludes Math::Pari?
Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is
the reason I converted TO Strawberry about three weeks ago.
Please advise...
--
Matthew O. Persico
Lazard
30 Rockefeller Plaza
New York, NY 10112
212 632 6136
From: kmx
To: win32-vanilla@perl.org
Date: 04/16/2014 01:31 AM
Subject: Re: StrawberryPerl and the OpenSSL "heartbleed" bug
---
Olivier,
You can try updated strawberry perl from:
_
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip__
__http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip_
--
kmx
On 15.4.2014 0:36, kmx wrote:
Hi,
you can get updated openssl binaries from:
- _http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/_
- _http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/_
I am considering releasing strawberry perl 5.18.2.2 (with new openssl)
before the end of April.
--
kmx
On 12.4.2014 20:45, Olivier Mengué wrote:
Hi,
You have probably heard of the now famous "heartblead" bug of the OpenSSL
library.
_http://heartbleed.com/_
StrawberryPerl is bundled with a binary of the OpenSSL library so I'm
wondering if StrawberryPerl is affected by the bug.
I had a look at the release notes of StrawberryPerl to look for the
version number of the OpenSSL and all versions of StrawberryPerl since at
least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug.
It would be helpful to have an official statement from the StrawberryPerl
team regarding this issue and to display it prominently on the
StrawberryPerl.com page.
Olivier Mengué
_https://metacpan.org/author/DOLMEN_
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Any reason why 5.18.2.2 excludes Math::Pari? Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is the reason I converted TO Strawberry about three weeks ago. Please advise... -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx To: win32-vanilla@perl.org Date: 04/16/2014 01:31 AM Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug Olivier, You can try updated strawberry perl from: http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip -- kmx On 15.4.2014 0:36, kmx wrote: Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous "heartblead" bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
A specially created server ( http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed , in Russian: http://www.xakep.ru/post/62350/default.asp ) can send similar request to client. But such attack has low probability. 2014-04-16 15:40 GMT+03:00 : > Does it matter if you are only using client-side SSL, if you are not running > a server with Strawberry but just connecting to sites? -- Alexandr Ciornii, http://chorny.net
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Does it matter if you are only using client-side SSL, if you are not running a server with Strawberry but just connecting to sites? -- Matthew > On Apr 16, 2014, at 1:31, "kmx" wrote: > > Olivier, > > You can try updated strawberry perl from: > > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi > > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip > > -- > kmx > >> On 15.4.2014 0:36, kmx wrote: >> Hi, >> >> you can get updated openssl binaries from: >> - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ >> - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ >> >> I am considering releasing strawberry perl 5.18.2.2 (with new openssl) >> before the end of April. >> >> -- >> kmx >> >>> On 12.4.2014 20:45, Olivier Mengué wrote: >>> Hi, >>> >>> You have probably heard of the now famous "heartblead" bug of the OpenSSL >>> library. >>> http://heartbleed.com/ >>> >>> StrawberryPerl is bundled with a binary of the OpenSSL library so I'm >>> wondering if StrawberryPerl is affected by the bug. >>> >>> I had a look at the release notes of StrawberryPerl to look for the version >>> number of the OpenSSL and all versions of StrawberryPerl since at least >>> 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. >>> >>> It would be helpful to have an official statement from the StrawberryPerl >>> team regarding this issue and to display it prominently on the >>> StrawberryPerl.com page. >>> >>> Olivier Mengué >>> https://metacpan.org/author/DOLMEN >
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Olivier, You can try updated strawberry perl from: http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip -- kmx On 15.4.2014 0:36, kmx wrote: Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous "heartblead" bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous "heartblead" bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN
