In light of things like Heartbleed and other security vulnerabilities we should look at the packages on the N900 and (as part of CSSU) see which ones we can update to fix securrity problems (or can backport things). Particularly in things that face the internet

For example can we upgrade to the latest OpenSSL 0.9.8 version? Or could we go further and use 0.9.8 for the blobs but upgrade the browser engine (most critical when it comes to ssl and crypto) to use newer and more secure (e.g. against POODLE) OpenSSL version?

At the very least, I think we should upgrade to the latest OpenSSL 0.9.8. I think it's been suggested before to stick it in CSSU Testing but I don't know if anything came of it. As for POODLE mitigation in MicroB, disabling SSL3 via about:config ought to be enough and would be a lot less work than upgrading the browser engine (although a browser engine upgrade and newer OpenSSL would be very welcome).

A security audit is a very good idea. I've been meaning to run a vulnerability scanner such as OpenVAS or Nessus against Fremantle for some time now but I've never gotten around to doing it. It'd be great if someone would post the scan results here.

The latest POODLE reports indicate it affects TLS as well.
Also we wouldnt need to upgrade browser, just upgradde openssl and fix what breaks in the browser (or other foss components)

The safe way is to update openSSL 0.9.8. As said in other places, certain packages are hardlinked, and may break.
As a note to this. I have been runnnig 1.0.1 version of openSSL for a while, and I have not experienced issues.
But, of course this needs more testing than from just one person, as I have probably not been around all corners of all apps.
One thing. I havent had those GPS Fix issues reported also, So, it might just be that upgrading to 1.0.1 (and trying to fix hard-links) might just solve more issues and could be desireable. Again, this is only 'confirmed' by moi.

The first step is to identify all the binaries (open and closed) that link to openssl. Not sure of the easiest way to do that though.

something like this

Ok, binaries that link to libssl and libcrypto (I cant gaurantee that this is every binary on the system that is somehow dependent on the version of openssl though or that every binary on this list actually calls something in those libs)
as-daemon (part of the system for talking to Microsoft email servers)
b64 (open source, part of maemosec-certman-tools)
browser.launch (main browser UI binary)
cmcli (open source, part of maemosec-certman-tools)
eapd (daemon for WiFi security)
intellisyncd (part of Nokia Messaging)
libclinkc.so.0.0.0 (open source, something used for upnp)
libconnui_iapsettings.so.0.0.0 (used for IAP settings stuff)
libcurl.so.4.1.0 (open source, part of curl)
libflashplayer.so (adobe flash player, not sure how this links to openssl)
libiap_dialog_gtc_challenge.so (IAP GTC dialog)
libiap_dialog_mschap_challenge.so (IAP MSCHAP dialog)
libiap_dialog_private_key_pw.so (IAP private key dialog)
libiap_dialog_server_cert.so (IAP server cert dialog)
libiap_dialog_wps.so (IAP WPS dialog)
libiap_wizzard_wlan.so (IAP WLAN wizard)
libinternetsettings.so (internet settings control panel)
liblomesa.so (low level image viewer API)
libloudmouth-1.so.0.1.0 (open source, Jabber library)
libmaemosec.so.0.0.0 (open source, maemo security library)
libmaemosec_certman.so.0.0.0 (open source, maemo security certificate manager library)
libmaemosec_certman_applet.so (open source, certificate manager control panel)
libmaemosec_certman_dialogs.so.0.0.0 (open source, certificate manager dialogs)
libmicrob-eal.so.0.0.0 (open source, microb engine library, not sure how this links to openssl)
libshareonovi.so (ovi sharing widget)
libsofia-sip-ua-glib.so.3.0.0 (open source, SIP library)
libsofia-sip-ua.so.3.0.0 (open source, SIP library)
libsync4j.so.3.0.0 (syncml library, seems like it should be open source unless its one of those "GPL unless you pay us for a license" deals)
location-proxy (daemon for talking to SUPL server)
maemosec_certman_service (open source, maemo security certificate manager service)
nsscfg (open source, part of maemosec-certman-tools)
osso-backup.launch (backup application)
ota-settings (for dealing with IAP settings sent over the air by the cellular network)
signond (single-sign-on daemon)
sscli (open source, part of maemosec-certman-tools)
syncd (part of maesync)
xmlpp (open source, part of maemosec-certman-tools)
Xorg (open source, X.org main binary)

Unless specified as "open source", all the above binaries are closed source.

Not 100% sure actually where the browser gets its SSL implementation from, its quite possibly using NSS (modified to link to the maemo certificate infrastructure) rather than using OpenSSL. In which case the idea goes from "upgrade OpenSSL" to "upgrade OpenSSL and also upgrade NSS"

Bash should also be upgraded to the latest version (4.3) in light of the Shellshock bug. Also, there was the latest security advisory for X.org, so following its developments should be important for security reasons (even though running it rootless would at least help with security a lot).

The biggest factor with regards to x.org is the PowerVR driver and whether any changes we want to make to x.org are going to break that.

i'd love it if any changes to x.org could also include fixing xcb build option to avoid the hack (using two sets of libs) for qt5.

other than x11, openssl and bash, what other base installed packages are vulnerable though? POODLE, Heartbleed, Shellshock and years old X11 issues are very well known but do we have man power to check everything else.

i did start to look through a diff of cssu version of gtk and jessie's latest yesterday to see about porting maemo changes to jessie. if there's any security issues there, looks reasonably straight forward in most places to add maemo changes. dependencies and compatibility issues though i haven't looked at. more like a preliminary assessment.