Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Worked better than expected. My explicit build of my local copy of your patched math pari didn't even start because of a version compare coding error, but when I got to net::sftp, cpanp found the local copy and it worked like a charm: [MSG] Module 'Net::SSH::Perl' requires 'Math::Pari' version '2.001804' to be installed [MSG] Trying to get 'file:///E:/strawbuild/src/local/CPANVersionLock/Math-Pari-2.01080605_patched.tar.gz' [MSG] Extracted 'Math::Pari' to 'E:\strawbuild\build\strawberry-perl-5.18.2.2-32bit-portable_20140418\data\.cpanplus\5.18.2\build\Math-Pari-2.01080605_patched' Running [E:\strawbuild\build\strawberry-perl-5.18.2.2-32bit-portable_20140418\perl\bin\perl.exe -e use strict; BEGIN { my $old = select STDERR; $|++; select $old; $|++; $0 = shift(@ARGV); my $rv = do($0); die $@ if $@; } E:\strawbuild\build\strawberry-perl-5.18.2.2-32bit-portable_20140418\data\.cpanplus\5.18.2\build\Math-Pari-2.01080605_patched\Makefile.PL]... Did not find GP/PARI build directory around. Non-interactive session, autofetching... Getting GP/PARI from ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Not in this directory, now chdir('OLD/2.1')... Available golden versions: `2.1.0 2.1.4 2.1.6 2.1.3 2.1.2 2.1.5 2.1.1 2.1.7' Latest supported golden is `pari-2.1.7.tgz' Picking golden version 2.1.7, file pari-2.1.7.tgz Downloading `ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/pari-2.1.7.tgz'... Downloaded... Extracting... gzip -dc pari-2.1.7.tgz | tar -xvf - and on and on thanks to kmx and jan for all your help -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: Matthew Persico/ITS/Lazard@Lazard NYC To: kmx Cc: Win32 Perl mailing list Date: 04/17/2014 01:26 PM Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug I have my own local directories that cpanp knows about. I'm going to try and put Math-Pari-2.01080605_patched.tar.gz in one of them and see if I cannot coax cpanp to build locally. If not, Illl cpanm from your repo. Can I assume that when 5.18.2.3 or whatever the next version is, the patch will be in the main distribution? Thanks. -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From:kmx To: Win32 Perl mailing list Date:04/16/2014 05:21 PM Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug Excellent, I have put patched version at http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz Simply run: cpanm http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz -v -- kmx On 16.4.2014 22:50, Jan Dubois wrote: On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote: The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = "ftp://$host$dir";; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print "Getting GP/PARI from $base_url\n"; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On 17.4.2014 19:26, matthew.pers...@lazard.com wrote: I have my own local directories that cpanp knows about. I'm going to try and put _Math-Pari-2.01080605_patched.tar.g_z in one of them and see if I cannot coax cpanp to build locally. If not, Illl cpanm from your repo. Can I assume that when 5.18.2.3 or whatever the next version is, the patch will be in the main distribution? Yes -- kmx
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
I have my own local directories that cpanp knows about. I'm going to try and put Math-Pari-2.01080605_patched.tar.gz in one of them and see if I cannot coax cpanp to build locally. If not, Illl cpanm from your repo. Can I assume that when 5.18.2.3 or whatever the next version is, the patch will be in the main distribution? Thanks. -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx To: Win32 Perl mailing list Date: 04/16/2014 05:21 PM Subject: Re: StrawberryPerl and the OpenSSL "heartbleed" bug Excellent, I have put patched version at http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz Simply run: cpanm http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz -v -- kmx On 16.4.2014 22:50, Jan Dubois wrote: On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote: The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = "ftp://$host$dir";; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print "Getting GP/PARI from $base_url\n"; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Never mind. I'm getting lesdyxic in my old age. Sent from my iPad > On Apr 16, 2014, at 18:52, "Jan Dubois" wrote: > > On Wed, Apr 16, 2014 at 3:37 PM, wrote: > > > > Folks, I just ftped to the link below and found pari.2.7.0.tar.gz. Isn't that > > what we're looking for or am I missing something? > > From http://cpansearch.perl.org/src/ILYAZ/Math-Pari-2.01080605/README: > > > (2.01080* still fully supports only 2.1.7, but mostly works with 2.3.* too.) > > There is a dev release with support for 2.3, but no indication that > anyone has ever managed to build with 2.7. Good luck! :) > > Cheers, > -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On Wed, Apr 16, 2014 at 3:37 PM, wrote: > > Folks, I just ftped to the link below and found pari.2.7.0.tar.gz. Isn't that > what we're looking for or am I missing something? >From http://cpansearch.perl.org/src/ILYAZ/Math-Pari-2.01080605/README: > (2.01080* still fully supports only 2.1.7, but mostly works with 2.3.* too.) There is a dev release with support for 2.3, but no indication that anyone has ever managed to build with 2.7. Good luck! :) Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Folks, I just ftped to the link below and found pari.2.7.0.tar.gz. Isn't that what we're looking for or am I missing something? Sent from my iPad > On Apr 16, 2014, at 4:50 PM, "Jan Dubois" wrote: > > On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote: > > The reason is simple - it does not build anymore as it is not able to find > > required pari source tarball at > > ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ > > Here is a quick-and-dirty patch to work around this (but hard-wires > you to 2.1.7): > > --- a/utils/Math/PariBuild.pm > +++ b/utils/Math/PariBuild.pm > @@ -301,7 +301,7 @@ EOP > } > > $base_url = "ftp://$host$dir";; > -my @extra_chdir = qw(OLD); > +my @extra_chdir = qw(OLD/2.1); > print "Getting GP/PARI from $base_url\n"; > > eval { > > Cheers, > -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On Wed, Apr 16, 2014 at 2:35 PM, wrote: > Suggestion - maybe you can pull the file that is being fetched (I assume its > pari217.exe) and install it locally once and for all? If the pari lib is > found locally, will the build bother to attempt to go out and get it? It is pari-2.1.7.tgz, but yes, if it is copied into the unpacked Math-Pari distribution, then it won't try to download it during `perl Makefile.PL` time. Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Suggestion - maybe you can pull the file that is being fetched (I assume its pari217.exe) and install it locally once and for all? If the pari lib is found locally, will the build bother to attempt to go out and get it? I worry that someday, pari217.exe will disappear. -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx To: Win32 Perl mailing list Date: 04/16/2014 05:21 PM Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug Excellent, I have put patched version at http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz Simply run: cpanm http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz -v -- kmx On 16.4.2014 22:50, Jan Dubois wrote: On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote: The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = "ftp://$host$dir";; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print "Getting GP/PARI from $base_url\n"; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
2014-04-16 15:04 GMT+02:00 Alexandr Ciornii : > A specially created server ( > http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed > , in Russian: http://www.xakep.ru/post/62350/default.asp ) can send > similar request to client. But such attack has low probability. > It is not recommended to use such online services. Some really try to capture as much as they can from your system. Instead, use an open source offline solution that you run yourself for your machine : pacemaker. https://github.com/Lekensteyn/pacemaker I verified that openssl bundled with StrawberryPerl 5.18.2.1 is vulnerable. You can reproduce it like this (while pacemaker.py is running): C:\strawberry\c\bin\openssl s_client -connect 127.0.0.1:4433
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Excellent, I have put patched version at http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz Simply run: cpanm http://strawberryperl.com/package/kmx/perl-modules-patched/Math-Pari-2.01080605_patched.tar.gz -v -- kmx On 16.4.2014 22:50, Jan Dubois wrote: On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote: The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = "ftp://$host$dir";; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print "Getting GP/PARI from $base_url\n"; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
On Wed, Apr 16, 2014 at 1:46 PM, kmx wrote: > The reason is simple - it does not build anymore as it is not able to find > required pari source tarball at > ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Here is a quick-and-dirty patch to work around this (but hard-wires you to 2.1.7): --- a/utils/Math/PariBuild.pm +++ b/utils/Math/PariBuild.pm @@ -301,7 +301,7 @@ EOP } $base_url = "ftp://$host$dir";; -my @extra_chdir = qw(OLD); +my @extra_chdir = qw(OLD/2.1); print "Getting GP/PARI from $base_url\n"; eval { Cheers, -Jan
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
The reason is simple - it does not build anymore as it is not able to find required pari source tarball at ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Try: cpanm Math::Pari -v ... Getting GP/PARI from ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/ Not in this directory, now chdir('OLD')... Did not find any file matching /((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via FTP ... Not in this directory, trying `ftp://megrez.math.u-bordeaux.fr/pub/pari/unix/OLD/'... Did not find any file matching /((?:.*\/)?pari\W*(?!2\.(?:[3-9]|\d\d+)\.)(\d+\.\d+\.\d+).*\.t(?:ar\.)?gz)$/ via FTP. ... In January 2014 the installation worked so that's why it is included in 5.18.2.1 and not in 5.18.2.2 Another trouble with Math::Pari (in fact it is a trouble with underlying pari library) is that it has never built correctly with 64bit compiler on MS Windows. -- kmx On 16.4.2014 22:07, matthew.pers...@lazard.com wrote: Any reason why 5.18.2.2 excludes Math::Pari? Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is the reason I converted TO Strawberry about three weeks ago. Please advise... -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx To: win32-vanilla@perl.org Date: 04/16/2014 01:31 AM Subject: Re: StrawberryPerl and the OpenSSL "heartbleed" bug --- Olivier, You can try updated strawberry perl from: _ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip__ __http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip_ -- kmx On 15.4.2014 0:36, kmx wrote: Hi, you can get updated openssl binaries from: - _http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/_ - _http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/_ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous "heartblead" bug of the OpenSSL library. _http://heartbleed.com/_ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué _https://metacpan.org/author/DOLMEN_
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Any reason why 5.18.2.2 excludes Math::Pari? Math::Pari is used (a couple of levels down) by Net::SFTP. Net::SFTP is the reason I converted TO Strawberry about three weeks ago. Please advise... -- Matthew O. Persico Lazard 30 Rockefeller Plaza New York, NY 10112 212 632 6136 From: kmx To: win32-vanilla@perl.org Date: 04/16/2014 01:31 AM Subject:Re: StrawberryPerl and the OpenSSL "heartbleed" bug Olivier, You can try updated strawberry perl from: http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip -- kmx On 15.4.2014 0:36, kmx wrote: Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous "heartblead" bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
A specially created server ( http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed , in Russian: http://www.xakep.ru/post/62350/default.asp ) can send similar request to client. But such attack has low probability. 2014-04-16 15:40 GMT+03:00 : > Does it matter if you are only using client-side SSL, if you are not running > a server with Strawberry but just connecting to sites? -- Alexandr Ciornii, http://chorny.net
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Does it matter if you are only using client-side SSL, if you are not running a server with Strawberry but just connecting to sites? -- Matthew > On Apr 16, 2014, at 1:31, "kmx" wrote: > > Olivier, > > You can try updated strawberry perl from: > > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi > > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip > http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip > > -- > kmx > >> On 15.4.2014 0:36, kmx wrote: >> Hi, >> >> you can get updated openssl binaries from: >> - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ >> - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ >> >> I am considering releasing strawberry perl 5.18.2.2 (with new openssl) >> before the end of April. >> >> -- >> kmx >> >>> On 12.4.2014 20:45, Olivier Mengué wrote: >>> Hi, >>> >>> You have probably heard of the now famous "heartblead" bug of the OpenSSL >>> library. >>> http://heartbleed.com/ >>> >>> StrawberryPerl is bundled with a binary of the OpenSSL library so I'm >>> wondering if StrawberryPerl is affected by the bug. >>> >>> I had a look at the release notes of StrawberryPerl to look for the version >>> number of the OpenSSL and all versions of StrawberryPerl since at least >>> 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. >>> >>> It would be helpful to have an official statement from the StrawberryPerl >>> team regarding this issue and to display it prominently on the >>> StrawberryPerl.com page. >>> >>> Olivier Mengué >>> https://metacpan.org/author/DOLMEN >
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Olivier, You can try updated strawberry perl from: http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.msi http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-32bit-portable.zip http://strawberryperl.com/download/5.18.2.2/strawberry-perl-5.18.2.2-64bit-portable.zip -- kmx On 15.4.2014 0:36, kmx wrote: Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous "heartblead" bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN
Re: StrawberryPerl and the OpenSSL "heartbleed" bug
Hi, you can get updated openssl binaries from: - http://strawberryperl.com/package/kmx/64_libs/gcc47-2014Q1/ - http://strawberryperl.com/package/kmx/32_libs/gcc47-2014Q1/ I am considering releasing strawberry perl 5.18.2.2 (with new openssl) before the end of April. -- kmx On 12.4.2014 20:45, Olivier Mengué wrote: Hi, You have probably heard of the now famous "heartblead" bug of the OpenSSL library. http://heartbleed.com/ StrawberryPerl is bundled with a binary of the OpenSSL library so I'm wondering if StrawberryPerl is affected by the bug. I had a look at the release notes of StrawberryPerl to look for the version number of the OpenSSL and all versions of StrawberryPerl since at least 5.16.0.1 have an OpenSSL in the range affected by the heartbleed bug. It would be helpful to have an official statement from the StrawberryPerl team regarding this issue and to display it prominently on the StrawberryPerl.com page. Olivier Mengué https://metacpan.org/author/DOLMEN