From yann at pleiades.fr.eu.org Sun Dec 6 13:04:20 2009 From: yann at pleiades.fr.eu.org (Yann Rouillard) Date: Sun, 06 Dec 2009 13:04:20 +0100 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 Message-ID: <4B1B9DC4.9050009@pleiades.fr.eu.org> Dear users, A security vulnerability has been recently found in the TLS and SSL protocol part related to the handling of session renegotiation [1]. This vulnerability allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection within a Man-in-the-middle attack. This problem is caused by a design flaw in the TLS/SSL protocol and is difficult to fix in a clean and backward compatible way. As a result the new openssl release (0.9.8l) which fixes this bug simply completely disables renegotiation. This new package will hit csw unstable mirror very soon. This modification should not have any impact for most setups except for Apache https configurations which use certificate client verification (SSLVerifyClient) or specify a new ssl cipher list (SSLCipherSuite) in a directory or location context. If that's your case, you should try to use these instructions on the server or virtual host level, or avoid upgrading to openssl 0.9.8l [2], but you will stay vulnerable in the latter. A new protocol extension to TLS is planned to address this issue but the RFC draft is still under review and it will require both the client and the server to implement the extension. Best regards Yann [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 [2] You can avoid upgrading with pkgutil >= 1.9 by adding the following line in pkgutil.conf: exclude_pattern=CSWossl From lanken.paul at gmail.com Sun Dec 6 18:01:06 2009 From: lanken.paul at gmail.com (Paul Lanken) Date: Sun, 6 Dec 2009 12:01:06 -0500 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: <4B1B9DC4.9050009@pleiades.fr.eu.org> References: <4B1B9DC4.9050009@pleiades.fr.eu.org> Message-ID: I don't get it .. that fix has been out as a package set for over a week or more : http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/openssl-0.9.8l,REV=2009.11.23-SunOS5.8-sparc-CSW.pkg.gz and http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/apache2-2.2.14,REV=2009.10.16-SunOS5.8-sparc-CSW.pkg.gz On Sun, Dec 6, 2009 at 7:04 AM, Yann Rouillard wrote: > Dear users, > > A security vulnerability has been recently found in the TLS and SSL > protocol part related to the handling of session renegotiation [1]. This > vulnerability allows an attacker to inject arbitrary content at the > beginning of a TLS/SSL connection within a Man-in-the-middle attack. > > This problem is caused by a design flaw in the TLS/SSL protocol and is > difficult to fix in a clean and backward compatible way. As a result the > new openssl release (0.9.8l) which fixes this bug simply completely > disables renegotiation. > > This new package will hit csw unstable mirror very soon. > > This modification should not have any impact for most setups except for > Apache https configurations which use certificate client verification > (SSLVerifyClient) or specify a new ssl cipher list (SSLCipherSuite) in a > directory or location context. > If that's your case, you should try to use these instructions on > the server or virtual host level, or avoid upgrading to openssl 0.9.8l [2], > but you will stay vulnerable in the latter. > > A new protocol extension to TLS is planned to address this issue but the > RFC draft is still under review and it will require both the client and > the server to implement the extension. > > Best regards > > Yann > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 > [2] You can avoid upgrading with pkgutil >= 1.9 by adding the following line > in pkgutil.conf: > exclude_pattern=CSWossl > > > _______________________________________________ > users mailing list > users at lists.opencsw.org > https://lists.opencsw.org/mailman/listinfo/users > From mgerdts at gmail.com Sun Dec 6 18:10:15 2009 From: mgerdts at gmail.com (Mike Gerdts) Date: Sun, 6 Dec 2009 11:10:15 -0600 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: <4B1B9DC4.9050009@pleiades.fr.eu.org> References: <4B1B9DC4.9050009@pleiades.fr.eu.org> Message-ID: <65f8f3ad0912060910m7abeed81w320d893e7d6e6ea@mail.gmail.com> On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard wrote: > Dear users, > > A security vulnerability has been recently found in the TLS and SSL > protocol part related to the handling of session renegotiation [1]. This > vulnerability allows an attacker to inject arbitrary content at the > beginning of a TLS/SSL connection within a Man-in-the-middle attack. > > This problem is caused by a design flaw in the TLS/SSL protocol and is > difficult to fix in a clean and backward compatible way. As a result the > new openssl release (0.9.8l) which fixes this bug simply completely > disables renegotiation. > > This new package will hit csw unstable mirror very soon. What is the plan for updating stable? If there are no plans to maintain stable, is there a documented procedure for me to create a custom branch (e.g. mystable) that contains the fixes and updates that I care about? The current stable seems to be a bit stale. -- Mike Gerdts http://mgerdts.blogspot.com/ From bonivart at opencsw.org Sun Dec 6 18:22:58 2009 From: bonivart at opencsw.org (Peter Bonivart) Date: Sun, 6 Dec 2009 18:22:58 +0100 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: References: <4B1B9DC4.9050009@pleiades.fr.eu.org> Message-ID: <625385e30912060922r36296b90sdf49a50bce66b782@mail.gmail.com> On Sun, Dec 6, 2009 at 6:01 PM, Paul Lanken wrote: > I don't get it .. that fix has been out as a package set for over a > week or more : > > http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/openssl-0.9.8l,REV=2009.11.23-SunOS5.8-sparc-CSW.pkg.gz > > and > > http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/apache2-2.2.14,REV=2009.10.16-SunOS5.8-sparc-CSW.pkg.gz That's not an OpenCSW mirror. -- /peter From dam at opencsw.org Thu Dec 10 07:29:33 2009 From: dam at opencsw.org (Dagobert Michelsen) Date: Thu, 10 Dec 2009 07:29:33 +0100 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: <65f8f3ad0912060910m7abeed81w320d893e7d6e6ea@mail.gmail.com> References: <4B1B9DC4.9050009@pleiades.fr.eu.org> <65f8f3ad0912060910m7abeed81w320d893e7d6e6ea@mail.gmail.com> Message-ID: Hi Mike, Am 06.12.2009 um 18:10 schrieb Mike Gerdts: > On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard > wrote: >> A security vulnerability has been recently found in the TLS and SSL >> protocol part related to the handling of session renegotiation [1]. >> This >> vulnerability allows an attacker to inject arbitrary content at the >> beginning of a TLS/SSL connection within a Man-in-the-middle attack. >> >> This problem is caused by a design flaw in the TLS/SSL protocol and >> is >> difficult to fix in a clean and backward compatible way. As a >> result the >> new openssl release (0.9.8l) which fixes this bug simply completely >> disables renegotiation. >> >> This new package will hit csw unstable mirror very soon. > > What is the plan for updating stable? If there are no plans to > maintain stable, is there a documented procedure for me to create a > custom branch (e.g. mystable) that contains the fixes and updates that > I care about? The current stable seems to be a bit stale. Please excuse my late answer as I wanted to first check the overall state for a new stable. There is a new stable planned, but as we updated roughly 700 from the distributed 2200 packages since the last stable testing all this is not a small task. Unfortunately I can not give you a date when the next stable will be available. In the meantime you can either make your own repository with updates you consider important and use it as overlay catalog for pkgutil Alternatively you can do a single package update with pkg-get like pkg-get -s http:// -U -u openssl that will just as easily get the later openssl. As it doesn't have non-openssl-dependencies it will accomplish the same thing. Then you can go back to using the regular "stable" archives, since pkg-get will not update over a "newer" installed version of openssl. Best regards -- Dago From skayser at opencsw.org Thu Dec 10 16:00:26 2009 From: skayser at opencsw.org (Sebastian Kayser) Date: Thu, 10 Dec 2009 16:00:26 +0100 Subject: [csw-users] Users miniconf, Munich 22nd Jan 2010 Message-ID: <20091210150026.GB7667@sebastiankayser.de> Dear OpenCSW Users, we are currently thinking about setting up a public mini conference for OpenCSW users, with talks from OpenCSW maintainers and the chance to meet other OpenCSW users as well as some of the people behind OpenCSW. Location: Munich, Germany (sorry to folks abroad) Date: 22. Jan 2010 Topics can range from detailled information on OpenCSW and its tools (release branches, project history/future, pkg-get/pkgutil/repository deep dives, our GAR build system) to general topics of interest for Solaris admins. Apart from that it could be a great occasion to exchange ideas and discuss your needs. Right now, we would be interested in two things. 1) Does such a mini conference sound interesting to people here? 2) Are there any specific topics you would be interested in? Looking forward to your feedback. Just reply to the list. Sebastian From maciej at opencsw.org Thu Dec 17 12:18:34 2009 From: maciej at opencsw.org (Maciej (Matchek) Blizinski) Date: Thu, 17 Dec 2009 11:18:34 +0000 Subject: [csw-users] Python 2.6.4 in testing/ Message-ID: There is a plusungood bug in Python 2.6 which makes getpass() echo the password to the screen[1]. It's fixed upstream it seems, but the fix hasn't been released yet. I've created new Python packages to which I've applied the patch extracted from the bug report. I did a couple more changes when I was at rebuilding Python. Here's the list of changes: - Version bump up from 2.6.2 to 2.6.4 (upstream changes listed: http://www.python.org/download/releases/2.6.4/NEWS.txt) - All testing-related files have been moved from CSWpython to CSWpython-test (except the unittest module) - distutils is included in the main (CSWpython) package - CSWpython-rt is now an empty deprecated package Test packages can be obtained from http://mirror.opencsw.org/testing.html Maciej [1] http://bugs.python.org/issue7208 From yann at pleiades.fr.eu.org Sun Dec 6 13:04:20 2009 From: yann at pleiades.fr.eu.org (Yann Rouillard) Date: Sun, 06 Dec 2009 13:04:20 +0100 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 Message-ID: <4B1B9DC4.9050009@pleiades.fr.eu.org> Dear users, A security vulnerability has been recently found in the TLS and SSL protocol part related to the handling of session renegotiation [1]. This vulnerability allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection within a Man-in-the-middle attack. This problem is caused by a design flaw in the TLS/SSL protocol and is difficult to fix in a clean and backward compatible way. As a result the new openssl release (0.9.8l) which fixes this bug simply completely disables renegotiation. This new package will hit csw unstable mirror very soon. This modification should not have any impact for most setups except for Apache https configurations which use certificate client verification (SSLVerifyClient) or specify a new ssl cipher list (SSLCipherSuite) in a directory or location context. If that's your case, you should try to use these instructions on the server or virtual host level, or avoid upgrading to openssl 0.9.8l [2], but you will stay vulnerable in the latter. A new protocol extension to TLS is planned to address this issue but the RFC draft is still under review and it will require both the client and the server to implement the extension. Best regards Yann [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 [2] You can avoid upgrading with pkgutil >= 1.9 by adding the following line in pkgutil.conf: exclude_pattern=CSWossl From lanken.paul at gmail.com Sun Dec 6 18:01:06 2009 From: lanken.paul at gmail.com (Paul Lanken) Date: Sun, 6 Dec 2009 12:01:06 -0500 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: <4B1B9DC4.9050009@pleiades.fr.eu.org> References: <4B1B9DC4.9050009@pleiades.fr.eu.org> Message-ID: I don't get it .. that fix has been out as a package set for over a week or more : http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/openssl-0.9.8l,REV=2009.11.23-SunOS5.8-sparc-CSW.pkg.gz and http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/apache2-2.2.14,REV=2009.10.16-SunOS5.8-sparc-CSW.pkg.gz On Sun, Dec 6, 2009 at 7:04 AM, Yann Rouillard wrote: > Dear users, > > A security vulnerability has been recently found in the TLS and SSL > protocol part related to the handling of session renegotiation [1]. This > vulnerability allows an attacker to inject arbitrary content at the > beginning of a TLS/SSL connection within a Man-in-the-middle attack. > > This problem is caused by a design flaw in the TLS/SSL protocol and is > difficult to fix in a clean and backward compatible way. As a result the > new openssl release (0.9.8l) which fixes this bug simply completely > disables renegotiation. > > This new package will hit csw unstable mirror very soon. > > This modification should not have any impact for most setups except for > Apache https configurations which use certificate client verification > (SSLVerifyClient) or specify a new ssl cipher list (SSLCipherSuite) in a > directory or location context. > If that's your case, you should try to use these instructions on > the server or virtual host level, or avoid upgrading to openssl 0.9.8l [2], > but you will stay vulnerable in the latter. > > A new protocol extension to TLS is planned to address this issue but the > RFC draft is still under review and it will require both the client and > the server to implement the extension. > > Best regards > > Yann > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 > [2] You can avoid upgrading with pkgutil >= 1.9 by adding the following line > in pkgutil.conf: > exclude_pattern=CSWossl > > > _______________________________________________ > users mailing list > users at lists.opencsw.org > https://lists.opencsw.org/mailman/listinfo/users > From mgerdts at gmail.com Sun Dec 6 18:10:15 2009 From: mgerdts at gmail.com (Mike Gerdts) Date: Sun, 6 Dec 2009 11:10:15 -0600 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: <4B1B9DC4.9050009@pleiades.fr.eu.org> References: <4B1B9DC4.9050009@pleiades.fr.eu.org> Message-ID: <65f8f3ad0912060910m7abeed81w320d893e7d6e6ea@mail.gmail.com> On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard wrote: > Dear users, > > A security vulnerability has been recently found in the TLS and SSL > protocol part related to the handling of session renegotiation [1]. This > vulnerability allows an attacker to inject arbitrary content at the > beginning of a TLS/SSL connection within a Man-in-the-middle attack. > > This problem is caused by a design flaw in the TLS/SSL protocol and is > difficult to fix in a clean and backward compatible way. As a result the > new openssl release (0.9.8l) which fixes this bug simply completely > disables renegotiation. > > This new package will hit csw unstable mirror very soon. What is the plan for updating stable? If there are no plans to maintain stable, is there a documented procedure for me to create a custom branch (e.g. mystable) that contains the fixes and updates that I care about? The current stable seems to be a bit stale. -- Mike Gerdts http://mgerdts.blogspot.com/ From bonivart at opencsw.org Sun Dec 6 18:22:58 2009 From: bonivart at opencsw.org (Peter Bonivart) Date: Sun, 6 Dec 2009 18:22:58 +0100 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: References: <4B1B9DC4.9050009@pleiades.fr.eu.org> Message-ID: <625385e30912060922r36296b90sdf49a50bce66b782@mail.gmail.com> On Sun, Dec 6, 2009 at 6:01 PM, Paul Lanken wrote: > I don't get it .. that fix has been out as a package set for over a > week or more : > > http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/openssl-0.9.8l,REV=2009.11.23-SunOS5.8-sparc-CSW.pkg.gz > > and > > http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/apache2-2.2.14,REV=2009.10.16-SunOS5.8-sparc-CSW.pkg.gz That's not an OpenCSW mirror. -- /peter From dam at opencsw.org Thu Dec 10 07:29:33 2009 From: dam at opencsw.org (Dagobert Michelsen) Date: Thu, 10 Dec 2009 07:29:33 +0100 Subject: [csw-users] Openssl vulnerability CVE-2009-3555 In-Reply-To: <65f8f3ad0912060910m7abeed81w320d893e7d6e6ea@mail.gmail.com> References: <4B1B9DC4.9050009@pleiades.fr.eu.org> <65f8f3ad0912060910m7abeed81w320d893e7d6e6ea@mail.gmail.com> Message-ID: Hi Mike, Am 06.12.2009 um 18:10 schrieb Mike Gerdts: > On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard > wrote: >> A security vulnerability has been recently found in the TLS and SSL >> protocol part related to the handling of session renegotiation [1]. >> This >> vulnerability allows an attacker to inject arbitrary content at the >> beginning of a TLS/SSL connection within a Man-in-the-middle attack. >> >> This problem is caused by a design flaw in the TLS/SSL protocol and >> is >> difficult to fix in a clean and backward compatible way. As a >> result the >> new openssl release (0.9.8l) which fixes this bug simply completely >> disables renegotiation. >> >> This new package will hit csw unstable mirror very soon. > > What is the plan for updating stable? If there are no plans to > maintain stable, is there a documented procedure for me to create a > custom branch (e.g. mystable) that contains the fixes and updates that > I care about? The current stable seems to be a bit stale. Please excuse my late answer as I wanted to first check the overall state for a new stable. There is a new stable planned, but as we updated roughly 700 from the distributed 2200 packages since the last stable testing all this is not a small task. Unfortunately I can not give you a date when the next stable will be available. In the meantime you can either make your own repository with updates you consider important and use it as overlay catalog for pkgutil Alternatively you can do a single package update with pkg-get like pkg-get -s http:// -U -u openssl that will just as easily get the later openssl. As it doesn't have non-openssl-dependencies it will accomplish the same thing. Then you can go back to using the regular "stable" archives, since pkg-get will not update over a "newer" installed version of openssl. Best regards -- Dago From skayser at opencsw.org Thu Dec 10 16:00:26 2009 From: skayser at opencsw.org (Sebastian Kayser) Date: Thu, 10 Dec 2009 16:00:26 +0100 Subject: [csw-users] Users miniconf, Munich 22nd Jan 2010 Message-ID: <20091210150026.GB7667@sebastiankayser.de> Dear OpenCSW Users, we are currently thinking about setting up a public mini conference for OpenCSW users, with talks from OpenCSW maintainers and the chance to meet other OpenCSW users as well as some of the people behind OpenCSW. Location: Munich, Germany (sorry to folks abroad) Date: 22. Jan 2010 Topics can range from detailled information on OpenCSW and its tools (release branches, project history/future, pkg-get/pkgutil/repository deep dives, our GAR build system) to general topics of interest for Solaris admins. Apart from that it could be a great occasion to exchange ideas and discuss your needs. Right now, we would be interested in two things. 1) Does such a mini conference sound interesting to people here? 2) Are there any specific topics you would be interested in? Looking forward to your feedback. Just reply to the list. Sebastian From maciej at opencsw.org Thu Dec 17 12:18:34 2009 From: maciej at opencsw.org (Maciej (Matchek) Blizinski) Date: Thu, 17 Dec 2009 11:18:34 +0000 Subject: [csw-users] Python 2.6.4 in testing/ Message-ID: There is a plusungood bug in Python 2.6 which makes getpass() echo the password to the screen[1]. It's fixed upstream it seems, but the fix hasn't been released yet. I've created new Python packages to which I've applied the patch extracted from the bug report. I did a couple more changes when I was at rebuilding Python. Here's the list of changes: - Version bump up from 2.6.2 to 2.6.4 (upstream changes listed: http://www.python.org/download/releases/2.6.4/NEWS.txt) - All testing-related files have been moved from CSWpython to CSWpython-test (except the unittest module) - distutils is included in the main (CSWpython) package - CSWpython-rt is now an empty deprecated package Test packages can be obtained from http://mirror.opencsw.org/testing.html Maciej [1] http://bugs.python.org/issue7208