OpenSSL Security Vulnerability

[MartijnHOS]

Hi Wael,

The 'openssl version' is correct (0.9.8c). But not in php this is because it uses (i think) the /lib dir and uses the 0.9.7a version when rebuilding.
The libcrypto links are ok. Why should i remove and remake the links?

Should i use the with-ssl-dir when i configure php or can i just delete the 0.9.7a version from the /lib directory and rebuild?

kind regards

martijn

 

[@how@]

in configure.php

--with-openssl \

don't add dir then ./build all y or ./build php y


Wael

 

[bigboy]

cannot upgrade openssl-0.9.8c

portsnap fetch
portsnap extract
portnsap update
cd /usr/ports/security/openssl
make install clean



mars# openssl version
OpenSSL 0.9.7e 25 Oct 2004

 

[fwpeter]

Is it safe to update this when I'm using a SSH connection during the update?

Any1?

 

[MartijnHOS]

Any1?

If you don't update openSSH, your connection won't break.


Kind regards,

martijn

 

[eymbo]

If you don't update openSSH, your connection won't break.


Kind regards,

martijn

I updated openssh and also openssl at the same time and never was disconnected at any point of time.

 

[MartijnHOS]

I updated openssh and also openssl at the same time and never was disconnected at any point of time.

It can be a risk if you update openssh that the update proces fails and you cannot login anymore. That was Peter's question.

 

[felosi]

I updated the openssl and figuired I had to redo exim, I tried the rpm source build from the knowledgbase when I tired to install it said it depended on libcypto and it wasnt found
any ideas?

 

[eymbo]

It can be a risk if you update openssh that the update proces fails and you cannot login anymore. That was Peter's question.

I suppose that's true however wouldn't you be inside ssh to begin with and if ssh compile or the update process fails you'd still be logged on as the process is still loaded into the memory.

A yum remove openssh and yum install openssh would most probably gaurentee it fixed.

 

[DirectAdmin Support]

Just as a side-note, this only affects RSA key's who's exponent is 3. We use 65537 for our exponents (the default) when generating keys for certificates.

John

 

[Superdeboer]

For debian users:

Make sure you included "deb http://security.debian.org/ stable/updates main contrib" in your /etc/apt/sources.list

Then just do a:
apt-get update && apt-get install openssl

Check for your current version with:
apt-show-versions | grep openssl

version 0.9.7e-3sarge2 has fixed the bug.

 

[fwpeter]

For debian users:

Then just do a:
apt-get update && apt-get install openssl

Are you sure it won't break your DA install?

 

[Superdeboer]

Are you sure it won't break your DA install?

I did it without encountering any problems, if that answers your question..

 

[fwpeter]

Ok, that would be easy. Does anyone else has experience with updating OpenSSL via apt-get in Debian?

 

[marvin]

It can be a risk if you update openssh that the update proces fails and you cannot login anymore. That was Peter's question.

In this case, you can always open another connection with telnet or netcat.

 

[Timmm]

Is it safe to update this when I'm using a SSH connection during the update?

Can't take a risk, box is too far away

allways use the screen function...

for example:

screen ./build all n

you can always get your session back even if ssh fails...

 

[Tristan]

Ok, that would be easy. Does anyone else has experience with updating OpenSSL via apt-get in Debian?

I just did an apt-get upgrade but it still has the old version:

apt-show-versions | grep openssl
openssl/stable uptodate 0.9.7e-3sarge2

Any clues here?

 

[MartijnHOS]

maybe it is the patched version check your code

 

[Superdeboer]

As said...
http://www.debian.org/security/2006/dsa-1174

Bug is fixed. It 's the normal debian way to only patch and not upgrade features/version numbers.

 

[Tristan]

Ah ok sorry for my ignorance again, should've known that ;-) Also:

/usr/include# ls -al | grep openssl
drwxr-xr-x 2 root root 4096 2006-09-18 10:55 openssl

seems ok.

Thanks for all the help.