Applying security patches to 0.9.8a

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Applying security patches to 0.9.8a

Rob Marshall
Hi,

I have an application that runs on an old OS that currently has
OpenSSL 0.9.8a installed and many binaries dependent on
libssl.so.0.9.8. Would it be possible to get the recent (it looks like
0.9.8a is pretty old) security patches and apply them to create an
updated 0.9.8a?

Thanks,

Rob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

Dennis Clarke-2
On 17/04/18 05:34 PM, Rob Marshall wrote:
> Hi,
>
> I have an application that runs on an old OS ...

I hate to be "that guy" and ask the dumb question but what OS is this
  and are you able to re-compile and re-link the application?


Dennis
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

OpenSSL - User mailing list
In reply to this post by Rob Marshall
>    I have an application that runs on an old OS that currently has
    OpenSSL 0.9.8a

So you should be able to compile and install the last 0.9.8 release, https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zc.tar.gz  Note that this is more than two years old.  Many fixes have happened since then.
 
Good luck.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

Rob Marshall
Hi,

The OS is SLES 10 SP3 and there are currently close to 80 binaries
that appear to use libssl.so.0.9.8. They are from a bunch of different
packages, so I would imagine that updating to anything more recent
than 0.9.8 would be a major hassle and possibly not even possible.

I did find openssl-0.9.8zh.tar.gz which was last modified in 2015
which is way better than 0.9.8a which hasn't been touched since 2005.
I'm trying to install 0.9.8zh now to see if that works.

But I know someone is going to ask: Can you apply all of the newer
security fixes to 0.9.8zh? So I'll ask...can I?

Thanks,

Rob

On Tue, Apr 17, 2018 at 6:22 PM, Salz, Rich via openssl-users
<[hidden email]> wrote:

>>    I have an application that runs on an old OS that currently has
>     OpenSSL 0.9.8a
>
> So you should be able to compile and install the last 0.9.8 release, https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zc.tar.gz  Note that this is more than two years old.  Many fixes have happened since then.
>
> Good luck.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

Matt Caswell-2


On 17/04/18 23:36, Rob Marshall wrote:

> Hi,
>
> The OS is SLES 10 SP3 and there are currently close to 80 binaries
> that appear to use libssl.so.0.9.8. They are from a bunch of different
> packages, so I would imagine that updating to anything more recent
> than 0.9.8 would be a major hassle and possibly not even possible.
>
> I did find openssl-0.9.8zh.tar.gz which was last modified in 2015
> which is way better than 0.9.8a which hasn't been touched since 2005.
> I'm trying to install 0.9.8zh now to see if that works.
>
> But I know someone is going to ask: Can you apply all of the newer
> security fixes to 0.9.8zh? So I'll ask...can I?

Quick answer:

No

Longer answer:

You would have to analyse all of the security issues that have occurred
between the final release of 0.9.8 and the most up to date release of
1.0.2 (the oldest currently supported release). For each one you would
have to determine whether it is applicable to the 0.9.8 release and
then, if it is, backport it, which is likely to mean making a number of
changes to the patch. You're only going to be protected for that
security issue if you manage it without screwing up somewhere.

This is a *huge* amount of work. Do-able in theory. In practice - don't
bother.


Matt




>
> Thanks,
>
> Rob
>
> On Tue, Apr 17, 2018 at 6:22 PM, Salz, Rich via openssl-users
> <[hidden email]> wrote:
>>>    I have an application that runs on an old OS that currently has
>>     OpenSSL 0.9.8a
>>
>> So you should be able to compile and install the last 0.9.8 release, https://www.openssl.org/source/old/0.9.x/openssl-0.9.8zc.tar.gz  Note that this is more than two years old.  Many fixes have happened since then.
>>
>> Good luck.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

Dennis Clarke-2
In reply to this post by Rob Marshall
On 17/04/18 06:36 PM, Rob Marshall wrote:

> Hi,
>
> The OS is SLES 10 SP3 and there are currently close to 80 binaries
> that appear to use libssl.so.0.9.8. They are from a bunch of different
> packages, so I would imagine that updating to anything more recent
> than 0.9.8 would be a major hassle and possibly not even possible.
>
> I did find openssl-0.9.8zh.tar.gz which was last modified in 2015
> which is way better than 0.9.8a which hasn't been touched since 2005.
> I'm trying to install 0.9.8zh now to see if that works.
>
> But I know someone is going to ask: Can you apply all of the newer
> security fixes to 0.9.8zh? So I'll ask...can I?
>

The ABI is very stable.  You would do well to build the latest openssl
as Rich Salz says.  The dates on this page are a mess but you need the
latest :  https://www.openssl.org/source/old/0.9.x/

So build it into a user home directory like $HOME/local and then set
your LD_LIBRARY_PATH to point to that new lib dir and test your apps
against it.  There should be a major issue.

If all goes well, as it should, just build the libs into /usr/local/ssl
and test your apps again.

If that goes well ... you could backup your old libs and symlink in the
new ones you just built.

Just an idea.  Not perfect.

Dennis
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

OpenSSL - User mailing list
In reply to this post by Rob Marshall
>    But I know someone is going to ask: Can you apply all of the newer
    security fixes to 0.9.8zh? So I'll ask...can I?
 
The project stopped supporting 0.9.8 2+ years ago, and announced its plans 3+ years ago.  Backporting fixes from 1.0.2 should be possible, but won't always be easy.

It might be worth contacting your vendor.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

Matěj Cepl
In reply to this post by Rob Marshall
On 2018-04-17, 22:36 GMT, Rob Marshall wrote:
> The OS is SLES 10 SP3 and there are currently close to 80
> binaries that appear to use libssl.so.0.9.8.

Whoever decided this platform is a good idea, was in my opinion
wrong. https://en.wikipedia.org/wiki/SUSE_Linux_Enterprise tells
me that a) there was SP4 … why in the world you would not
install that?, b) it was released April 2011, and all support of
SLES 10 ceased on 2016-03-30.

Such system is either so disconnected from everything, that
patching OpenSSL doesn't matter, or patching just OpenSSL (if it
was possible at all) doesn't make much difference.

Matěj
--
https://matej.ceplovi.cz/blog/, Jabber: [hidden email]
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8
 
You either die a hero or you live long enough to see yourself
become the villain.
  -- Harvey Dent in The Dark Knight

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Applying security patches to 0.9.8a

Vitezslav Cizek
In reply to this post by Rob Marshall
Hi,

On Tue, 17 Apr 2018 18:36:09 -0400
"Rob Marshall" <[hidden email]> wrote:

> The OS is SLES 10 SP3 and there are currently close to 80 binaries
> that appear to use libssl.so.0.9.8. They are from a bunch of different
> packages, so I would imagine that updating to anything more recent
> than 0.9.8 would be a major hassle and possibly not even possible.
>
> I did find openssl-0.9.8zh.tar.gz which was last modified in 2015
> which is way better than 0.9.8a which hasn't been touched since 2005.
> I'm trying to install 0.9.8zh now to see if that works.
>
> But I know someone is going to ask: Can you apply all of the newer
> security fixes to 0.9.8zh? So I'll ask...can I?

Of course you can.
But all the patches will fail to apply automatically, at least because
of the recent source code reformat. You'll have to do it by hand.

The good news is that most of the security vulnerabilities wouldn't
affect 0.9.8a. Many were introduced in the newer functionality, such as
elliptic curves, DTLS or new asm implementations.

Btw, SUSE is still maintaining SLE-10 (and backporting all the
security fixes) for some customers.
If you have access to the support channels, perhaps you can ask them.

--
Vítězslav Čížek             Emergency Update Team (EMU)
"Whilst you sleep, we're probably saving the universe."
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users