Reply
Thread Tools
PMaff's Avatar
Posts: 361 | Thanked: 219 times | Joined on Sep 2010
#1
Hello,

probably all of you read
http://heartbleed.com/

openssl version
gives
"0.9.8n"
for my N900.


Pete
 

The Following 14 Users Say Thank You to PMaff For This Useful Post:
Copernicus's Avatar
Posts: 1,986 | Thanked: 7,698 times | Joined on Dec 2010 @ Dayton, Ohio
#2
There are advantages to running tried-and-true software.
 

The Following 2 Users Say Thank You to Copernicus For This Useful Post:
Posts: 131 | Thanked: 184 times | Joined on Dec 2011
#3
Seeing as I'm going to have to replace all my passwords (had a nice manual system going back 15 years), maybe someone wants to look at fixing KeepassX (not the vulnerability, it never compiled properly in the first place)?

http://talk.maemo.org/showthread.php...keepass&page=2

Last edited by _David_; 2014-04-11 at 00:15. Reason: Fixed ambiguity
 

The Following 5 Users Say Thank You to _David_ For This Useful Post:
pycage's Avatar
Posts: 3,404 | Thanked: 4,474 times | Joined on Oct 2005 @ Germany
#4
Clients should be mostly safe from Heartbleed. Firefox, Opera, Chrome, Thunderbird, Internet Explorer don't use OpenSSL, and Apple's version of OpenSSL is not recent enough for it.
The problem is the server side with all those web and application servers, proxy servers, etc. all using OpenSSL.

It's the TLS heartbeat keep-alive code that is vulnerable. KeepassX does not fall into this category, fortunately.
__________________
Tidings - RSS and Podcast aggregator for Jolla - https://github.com/pycage/tidings
Cargo Dock - file/cloud manager for Jolla - https://github.com/pycage/cargodock
 

The Following 5 Users Say Thank You to pycage For This Useful Post:
Posts: 2,290 | Thanked: 4,133 times | Joined on Apr 2010 @ UK
#5
Originally Posted by pycage View Post
KeepassX does not fall into this category, fortunately.
I think fixing KeepassX comment is less about Heartbleed and more about password security in general.

I agree it would be nice to get KeePassX usable on the N900.
__________________

Wiki Admin
sixwheeledbeast's wiki
Testing Squad Subscriber
- mcallerx - tenminutecore - FlopSwap - Qnotted - zzztop - Bander - Fight2048 -


Before posting or starting a thread please try this.
 

The Following 6 Users Say Thank You to sixwheeledbeast For This Useful Post:
Guest | Posts: n/a | Thanked: 0 times | Joined on
#6
Originally Posted by pycage View Post
Clients should be mostly safe from Heartbleed. Firefox, Opera, Chrome, Thunderbird, Internet Explorer don't use OpenSSL, and Apple's version of OpenSSL is not recent enough for it.
The problem is the server side with all those web and application servers, proxy servers, etc. all using OpenSSL.

It's the TLS heartbeat keep-alive code that is vulnerable. KeepassX does not fall into this category, fortunately.
I suggest looking into this vulnerability, clients may or may not be vulnerable, depending on how TLS handshake is being utilized.

For those interested, try this out
https://github.com/Lekensteyn/pacemaker
 

The Following 4 Users Say Thank You to For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#7
Looks like the version of OpenSSL in the Nokia repos (and in the Community SSU repos) is so old it doesn't have the bug so it should bev good.
 

The Following 8 Users Say Thank You to jonwil For This Useful Post:
PMaff's Avatar
Posts: 361 | Thanked: 219 times | Joined on Sep 2010
#8
Originally Posted by jonwil View Post
Looks like the version of OpenSSL in the Nokia repos (and in the Community SSU repos) is so old it doesn't have the bug so it should bev good.
I did not check all the other CVEs regarding OpenSSL,
but I guess the question is, if there were other security
issues, which make it too old in other aspects?
 

The Following 2 Users Say Thank You to PMaff For This Useful Post:
Posts: 567 | Thanked: 2,965 times | Joined on Oct 2009
#9
The question to be asked then is, will replacing OpenSSL on the N900 with the newest version break anything and if not, should CSSU do that?
 

The Following 2 Users Say Thank You to jonwil For This Useful Post:
Posts: 1,808 | Thanked: 4,272 times | Joined on Feb 2011 @ Germany
#10
Originally Posted by jonwil View Post
The question to be asked then is, will replacing OpenSSL on the N900 with the newest version break anything and if not, should CSSU do that?
I actually replaced openssl with version 1.0.1e some time ago. AFAIK I compiled it myself, and it's probably vulnerable to Heartbleed (not that I care much anyway).

In any case, nothing (else) broke on my N900 (no CSSU, just somewhat patched 1.3). It's not such a "critical" library that would break something horribly, but with Maemo you never know..
 
Reply

Tags
heartbleed, nokia n900, openssl, security

Thread Tools

 
Forum Jump


All times are GMT. The time now is 20:07.