N900, CSSU and OpenSSL

[jonwil]

In light of this new OpenSSL issue:
http://it.slashdot.org/story/14/06/0...ts-all-clients
Do we have OpenSSL in CSSU? Do we want to pull in all the fixes for OpenSSL for issues like this?

Also, it would be good to have a security examination of the N900 and identify all the packages that are important for security (so that we can keep them maintained in CSSU or if they are closed, look at how to replace them with something open)

[sixwheeledbeast]

http://www.symantec.com/connect/blog...ter-heartbleed

It seems we avoided heartbleed issues by being on 0.9.8n, however, latest CVE's recommend updating 0.9.8 to 0.9.8za

I believe some of your question where discussed on the heartbleed thread http://talk.maemo.org/showthread.php?t=92998

[shawnjefferson]

Sounds like someone should compile and release 0.9.8za for the n900 at least. Is that part of CSSU, or just generally available in the repos as a separate package?

[sixwheeledbeast]

http://maemo.org/packages/view/libssl0.9.8/
http://maemo.org/packages/view/openssl/

[shawnjefferson]

Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

[sixwheeledbeast]

Quote:

Originally Posted by shawnjefferson

I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

I wouldn't say "own" it.
More a small dedicated group of devs contribute to it as a team.

[xes]

Community is not just ask and receive.

Everyone can contribute, maybe with small things, but the concept of community starts from this.

No one owns, everyone contributes to make it better

[freemangordon]

Quote:

Originally Posted by shawnjefferson

Seems like it's in the SSU repository (among others too). On my device, it's thumb compiled by fmg, so hopefully he will compile the newest one. I guess it will have to pass through CSSU-dev first though... I'm not really up on how CSSU stuff works and it seems like a very small group of people own it.

The only option we have is to backport the needed patches, otherwise we'll break the ABI.

Point me to the patch that fixes that CVE and I'll see what I can do

EDIT:
"Pointing" is raising a bug on BMO, place a link to bug here

[xes]

@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time.
For sure latest CVE 2014-0224 is really a pain for every mobile device using a vpn.
ref: http://www.openssl.org/news/secadv_20140605.txt
So also CVE 2014 0195/221/3470 affect the N900's openssl current version.

After this, we should expect many openssl updates in the next months since actually there is a massive bug hunting..

[freemangordon]

Quote:

Originally Posted by xes

@fremangordon
maybe that rebase on 0.9.8za and apply nokia/maemo patches to that would require almost the same time.

No, as it will break the ABI, the version in CSSU is the latest that don't break it.

So, if someone finds the relevant patches/commits, I'll backport them in CSSU