![]() |
N900, CSSU and OpenSSL
In light of this new OpenSSL issue:
http://it.slashdot.org/story/14/06/0...ts-all-clients Do we have OpenSSL in CSSU? Do we want to pull in all the fixes for OpenSSL for issues like this? Also, it would be good to have a security examination of the N900 and identify all the packages that are important for security (so that we can keep them maintained in CSSU or if they are closed, look at how to replace them with something open) |
Re: N900, CSSU and OpenSSL
http://www.symantec.com/connect/blog...ter-heartbleed
It seems we avoided heartbleed issues by being on 0.9.8n, however, latest CVE's recommend updating 0.9.8 to 0.9.8za I believe some of your question where discussed on the heartbleed thread http://talk.maemo.org/showthread.php?t=92998 |
Re: N900, CSSU and OpenSSL
Sounds like someone should compile and release 0.9.8za for the n900 at least. Is that part of CSSU, or just generally available in the repos as a separate package?
|
Re: N900, CSSU and OpenSSL
|
Re: N900, CSSU and OpenSSL
Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.
|
Re: N900, CSSU and OpenSSL
Quote:
More a small dedicated group of devs contribute to it as a team. |
Re: N900, CSSU and OpenSSL
Community is not just ask and receive.
Everyone can contribute, maybe with small things, but the concept of community starts from this. No one owns, everyone contributes to make it better |
Re: N900, CSSU and OpenSSL
Quote:
Point me to the patch that fixes that CVE and I'll see what I can do EDIT: "Pointing" is raising a bug on BMO, place a link to bug here |
Re: N900, CSSU and OpenSSL
@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time. For sure latest CVE 2014-0224 is really a pain for every mobile device using a vpn. ref: http://www.openssl.org/news/secadv_20140605.txt So also CVE 2014 0195/221/3470 affect the N900's openssl current version. After this, we should expect many openssl updates in the next months since actually there is a massive bug hunting.. |
Re: N900, CSSU and OpenSSL
Quote:
So, if someone finds the relevant patches/commits, I'll backport them in CSSU |
All times are GMT. The time now is 23:11. |
vBulletin® Version 3.8.8