maemo.org - Talk
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Nokia N900 (https://talk.maemo.org/forumdisplay.php?f=44)
-   -   Security: Heartbleed on N900 (https://talk.maemo.org/showthread.php?t=92998)

PMaff 2014-04-10 00:22
Security: Heartbleed on N900
 
Hello,

probably all of you read
http://heartbleed.com/

openssl version
gives
"0.9.8n"
for my N900. :)


Pete

Copernicus 2014-04-10 00:38
Re: Security: Heartbleed on N900
 
There are advantages to running tried-and-true software. :)

_David_ 2014-04-10 02:29
Re: Security: Heartbleed on N900
 
Seeing as I'm going to have to replace all my passwords (had a nice manual system going back 15 years), maybe someone wants to look at fixing KeepassX (not the vulnerability, it never compiled properly in the first place)?

http://talk.maemo.org/showthread.php...keepass&page=2

pycage 2014-04-10 16:39
Re: Security: Heartbleed on N900
 
Clients should be mostly safe from Heartbleed. Firefox, Opera, Chrome, Thunderbird, Internet Explorer don't use OpenSSL, and Apple's version of OpenSSL is not recent enough for it.
The problem is the server side with all those web and application servers, proxy servers, etc. all using OpenSSL.

It's the TLS heartbeat keep-alive code that is vulnerable. KeepassX does not fall into this category, fortunately. :)

sixwheeledbeast 2014-04-10 17:21
Re: Security: Heartbleed on N900
 
Quote:
Originally Posted by pycage (Post 1420718)
KeepassX does not fall into this category, fortunately. :)
I think fixing KeepassX comment is less about Heartbleed and more about password security in general.

I agree it would be nice to get KeePassX usable on the N900.

nieldk 2014-04-10 17:42
Re: Security: Heartbleed on N900
 
Quote:
Originally Posted by pycage (Post 1420718)
Clients should be mostly safe from Heartbleed. Firefox, Opera, Chrome, Thunderbird, Internet Explorer don't use OpenSSL, and Apple's version of OpenSSL is not recent enough for it.
The problem is the server side with all those web and application servers, proxy servers, etc. all using OpenSSL.

It's the TLS heartbeat keep-alive code that is vulnerable. KeepassX does not fall into this category, fortunately. :)
I suggest looking into this vulnerability, clients may or may not be vulnerable, depending on how TLS handshake is being utilized.

For those interested, try this out
https://github.com/Lekensteyn/pacemaker

jonwil 2014-04-10 20:31
Re: Security: Heartbleed on N900
 
Looks like the version of OpenSSL in the Nokia repos (and in the Community SSU repos) is so old it doesn't have the bug so it should bev good.

PMaff 2014-04-11 09:15
Re: Security: Heartbleed on N900
 
Quote:
Originally Posted by jonwil (Post 1420749)
Looks like the version of OpenSSL in the Nokia repos (and in the Community SSU repos) is so old it doesn't have the bug so it should bev good.
I did not check all the other CVEs regarding OpenSSL,
but I guess the question is, if there were other security
issues, which make it too old in other aspects?

jonwil 2014-04-12 00:06
Re: Security: Heartbleed on N900
 
The question to be asked then is, will replacing OpenSSL on the N900 with the newest version break anything and if not, should CSSU do that?

reinob 2014-04-12 12:34
Re: Security: Heartbleed on N900
 
Quote:
Originally Posted by jonwil (Post 1421017)
The question to be asked then is, will replacing OpenSSL on the N900 with the newest version break anything and if not, should CSSU do that?
I actually replaced openssl with version 1.0.1e some time ago. AFAIK I compiled it myself, and it's probably vulnerable to Heartbleed (not that I care much anyway).

In any case, nothing (else) broke on my N900 (no CSSU, just somewhat patched 1.3). It's not such a "critical" library that would break something horribly, but with Maemo you never know..


All times are GMT. The time now is 07:42.
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8