Re: StrawberryPerl and the OpenSSL heartbleed bug
A specially created server ( http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed , in Russian: http://www.xakep.ru/post/62350/default.asp ) can send similar request to client. But such attack has low probability. 2014-04-16 15:40 GMT+03:00 matthew.pers...@lazard.com: Does it matter if you are only using client-side SSL, if you are not running a server with Strawberry but just connecting to sites? -- Alexandr Ciornii, http://chorny.net
Re: StrawberryPerl and the OpenSSL heartbleed bug
Any reason why 5.18.2.2 excludes Math::Pari? Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is the reason I converted TO Strawberry about three weeks ago. Please advise... -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx k...@atlas.cz To: win32-vanilla@perl.org Date: 04/16/2014 01:31 AM Subject:Re: StrawberryPerl and the OpenSSL heartbleed bug Olivier, You can try updated strawberry perl from: http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip -- kmx On 15.4.2014 0:36, kmx wrote: Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous heartblead bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN
Re: StrawberryPerl and the OpenSSL heartbleed bug
The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Try: cpanm Math::Pari -v ... Getting GP/PARI from ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Not in this directory, now chdir('OLD')... Did not find any file matching /((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via FTP ... Not in this directory, trying `ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/OLD/'... Did not find any file matching /((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via FTP. ... In January 2014 the installation worked so that's why it is included in 5.18.2.1 and not in 5.18.2.2 Another trouble with Math::Pari (in fact it is a trouble with underlying pari library) is that it has never built correctly with 64bit compiler on MS Windows. -- kmx On 16.4.2014 22:07, matthew.pers...@lazard.com wrote: Any reason why 5.18.2.2 excludes Math::Pari? Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is the reason I converted TO Strawberry about three weeks ago. Please advise... -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx k...@atlas.cz To: win32-vanilla@perl.org Date: 04/16/2014 01:31 AM Subject: Re: StrawberryPerl and the OpenSSL heartbleed bug --- Olivier, You can try updated strawberry perl from: _ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip_ -- kmx On 15.4.2014 0:36, kmx wrote: Hi, you can get updated openssl binaries from: - _http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/_ - _http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/_ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous heartblead bug of the OpenSSL library. _http://heartbleed.com/_ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué _https://metacpan.org/author/DOLMEN_
Re: StrawberryPerl and the OpenSSL heartbleed bug
On Wed, Apr 16, 2014 at 1:46 PM, kmx k...@atlas.cz wrote: The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = ftp://$host$dir;; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print Getting GP/PARI from $base_url\n; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL heartbleed bug
Excellent, I have put patched version at http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz Simply run: cpanm http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz -v -- kmx On 16.4.2014 22:50, Jan Dubois wrote: On Wed, Apr 16, 2014 at 1:46 PM, kmx k...@atlas.cz wrote: The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = ftp://$host$dir;; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print Getting GP/PARI from $base_url\n; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL heartbleed bug
2014-04-16 15:04 GMT+02:00 Alexandr Ciornii alexcho...@gmail.com: A specially created server ( http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed , in Russian: http://www.xakep.ru/post/62350/default.asp ) can send similar request to client. But such attack has low probability. It is not recommended to use such online services. Some really try to capture as much as they can from your system. Instead, use an open source offline solution that you run yourself for your machine : pacemaker. https://github.com/Lekensteyn/pacemaker I verified that openssl bundled with StrawberryPerl 5.18.2.1 is vulnerable. You can reproduce it like this (while pacemaker.py is running): C:\strawberry\c\bin\openssl s_client -connect 127.0.0.1:4433
Re: StrawberryPerl and the OpenSSL heartbleed bug
Suggestion - maybe you can pull the file that is being fetched (I assume its pari217.exe) and install it locally once and for all? If the pari lib is found locally, will the build bother to attempt to go out and get it? I worry that someday, pari217.exe will disappear. -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx k...@atlas.cz To: Win32 Perl mailing list win32-vanilla@perl.org Date: 04/16/2014 05:21 PM Subject:Re: StrawberryPerl and the OpenSSL heartbleed bug Excellent, I have put patched version at http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz Simply run: cpanm http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz -v -- kmx On 16.4.2014 22:50, Jan Dubois wrote: On Wed, Apr 16, 2014 at 1:46 PM, kmx k...@atlas.cz wrote: The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = ftp://$host$dir;; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print Getting GP/PARI from $base_url\n; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL heartbleed bug
On Wed, Apr 16, 2014 at 2:35 PM, matthew.pers...@lazard.com wrote: Suggestion - maybe you can pull the file that is being fetched (I assume its pari217.exe) and install it locally once and for all? If the pari lib is found locally, will the build bother to attempt to go out and get it? It is pari-2.1.7.tgz, but yes, if it is copied into the unpacked Math-Pari distribution, then it won't try to download it during `perl Makefile.PL` time. Cheers, -Jan
Re: StrawberryPerl and the OpenSSL heartbleed bug
Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous heartblead bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN