maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)
-   -   N900, CSSU and OpenSSL (https://talk.maemo.org/showthread.php?t=93296)

jonwil 2014-06-05 22:36

N900, CSSU and OpenSSL
 
In light of this new OpenSSL issue:
http://it.slashdot.org/story/14/06/0...ts-all-clients
Do we have OpenSSL in CSSU? Do we want to pull in all the fixes for OpenSSL for issues like this?

Also, it would be good to have a security examination of the N900 and identify all the packages that are important for security (so that we can keep them maintained in CSSU or if they are closed, look at how to replace them with something open)

sixwheeledbeast 2014-06-05 22:48

Re: N900, CSSU and OpenSSL
 
http://www.symantec.com/connect/blog...ter-heartbleed

It seems we avoided heartbleed issues by being on 0.9.8n, however, latest CVE's recommend updating 0.9.8 to 0.9.8za

I believe some of your question where discussed on the heartbleed thread http://talk.maemo.org/showthread.php?t=92998

shawnjefferson 2014-06-06 02:36

Re: N900, CSSU and OpenSSL
 
Sounds like someone should compile and release 0.9.8za for the n900 at least. Is that part of CSSU, or just generally available in the repos as a separate package?

sixwheeledbeast 2014-06-06 07:09

Re: N900, CSSU and OpenSSL
 
http://maemo.org/packages/view/libssl0.9.8/
http://maemo.org/packages/view/openssl/

shawnjefferson 2014-06-07 05:56

Re: N900, CSSU and OpenSSL
 
Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

sixwheeledbeast 2014-06-07 08:29

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by shawnjefferson (Post 1428583)
I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

I wouldn't say "own" it.
More a small dedicated group of devs contribute to it as a team.

xes 2014-06-07 09:13

Re: N900, CSSU and OpenSSL
 
Community is not just ask and receive.

Everyone can contribute, maybe with small things, but the concept of community starts from this.

No one owns, everyone contributes to make it better

freemangordon 2014-06-07 09:26

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by shawnjefferson (Post 1428583)
Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

The only option we have is to backport the needed patches, otherwise we'll break the ABI.

Point me to the patch that fixes that CVE and I'll see what I can do

EDIT:
"Pointing" is raising a bug on BMO, place a link to bug here

xes 2014-06-07 12:26

Re: N900, CSSU and OpenSSL
 
@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time.
For sure latest CVE 2014-0224 is really a pain for every mobile device using a vpn.
ref: http://www.openssl.org/news/secadv_20140605.txt
So also CVE 2014 0195/221/3470 affect the N900's openssl current version.

After this, we should expect many openssl updates in the next months since actually there is a massive bug hunting..

freemangordon 2014-06-07 18:41

Re: N900, CSSU and OpenSSL
 
Quote:

Originally Posted by xes (Post 1428606)
@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time.

No, as it will break the ABI, the version in CSSU is the latest that don't break it.

So, if someone finds the relevant patches/commits, I'll backport them in CSSU


All times are GMT. The time now is 23:11.

vBulletin® Version 3.8.8