Author Message

Polynomial-C









Joined: 01 Jun 2003

Posts: 1428

Location: germany DeveloperJoined: 01 Jun 2003Posts: 1428Location: germany

Posted: Tue Mar 01, 2016 10:45 pm Post subject: Attention! dev-libs/openssl-1.0.2g breaks ABI!



today I bumped openssl-1.0.2g into portage without noticing that they changed their ABI in a release that was announced as



This bump breaks nearly all consumers of the libssl.so library (see





In case you still haven't updated to openssl-1.0.2g yet, simply prepare wget to not break: Hi dear Gentoo people,today I bumped openssl-1.0.2g into portage without noticing that they changed their ABI in a release that was announced as security update This bump breaks nearly all consumers of the libssl.so library (see bug 576128 ).In case you still haven't updated to openssl-1.0.2g yet, simply prepare wget to not break: Code: USE="gnutls" emerge -1v wget

Then upgrade openssl and proceed with the steps mentioned below (skip the wget part). Once all packages have been fixed again, recompile wget to link against openssl again.





In case you have already upgraded to openssl-1.0.2g and have broken packages, don't panic! This can be fixed.



First of all, in case net-misc/wget is broken for you and you need to download the source tarball in order to recompile wget you can try "busybox wget" instead: Code: FETCHCOMMAND="/bin/busybox wget -O \"\${DISTDIR}/\${FILE}\" \"\${URI}\"" emerge -1v wget

In case you get a bad address error message from busybox' wget and you still have access to a webbrowser, simply donwload the required wget source tarball from the /usr/portage/distfiles ).

Once your wget binary is no longer broken, install the app-portage/gentoolkit package: In case you get aerror message from busybox' wget and you still have access to a webbrowser, simply donwload the required wget source tarball from the GNU FTP server and place it in your DISTDIR (usually).Once your wget binary is no longer broken, install thepackage: Code: emerge -1nv gentoolkit

Now you have the required tool to fix the remaining broken packages: Code: revdep-rebuild.sh -i -L "libssl\.so.*" -- --exclude=openssl --keep-going

Watch carefully for packages that fail during compilation. Sometimes the ordering of the packages is wrong and then packages get recompiled that have dependencies which are still broken. In this case try to re-emerge such packages once the revdep-rebuild command has finished.

As a last step you should run Code: revdep-rebuild.sh -i -u -- --keep-going





Please let me know if this guide is helpful to you.



[edit]Added preparation steps (thanks tamiko)[/edit]

[edit]Added revdep-rebuild search for undefined symbols[/edit]



Stuck. -- desultory

Unstuck 2018-09-25, --kallamej

_________________

The manual said "Requires Windows10 or better" so I installed GNU/Linux...



my portage overlay



Need a as the previous revdep-rebuild command might not pick up every libssl consumer (don't ask me why). This command most likely will print false positives or reports undefined symbols not related to the openssl update. Just let it run and again watch for failed packages.Please let me know if this guide is helpful to you.[edit]Added preparation steps (thanks tamiko)[/edit][edit]Added revdep-rebuild search for undefined symbols[/edit]_________________The manual said "Requires Windows10 or better" so I installed GNU/Linux...Need a stage1 tarball ? (Unofficial builds)

krinn









Joined: 02 May 2003

Posts: 7447

WatchmanJoined: 02 May 2003Posts: 7447

Posted: Wed Mar 02, 2016 3:06 pm Post subject: Polynomial-C,

- wouldn't it be just easier to package current wget in order to restore it easy? <quickpkg wget>

- and the whole process could be made without need to rebuild wget twice: <emerge --update --newuse --deep --with-bdeps=y --fetchonly @world> will download everything, next to that, you don't need wget if packages sources are already present when updating for real.

Ant P.









Joined: 18 Apr 2009

Posts: 6687

WatchmanJoined: 18 Apr 2009Posts: 6687

Posted: Wed Mar 02, 2016 6:23 pm Post subject: Might be a good idea to add "net-misc/curl CURL_SSL: -* gnutls" to a package.use file too, otherwise it uses openssl by default.



I have a policy of disabling/replacing openssl where possible already. Unfortunately there's still a huge amount of packages that won't work at all without this radioactive waste present...

Dr.Willy









Joined: 15 Jul 2007

Posts: 518

Location: NRW, Germany GuruJoined: 15 Jul 2007Posts: 518Location: NRW, Germany

Posted: Wed Mar 02, 2016 11:08 pm Post subject: What makes you think that gnutls is better in any way, shape or form?

tnt









Joined: 27 Feb 2004

Posts: 1182

VeteranJoined: 27 Feb 2004Posts: 1182

Posted: Thu Mar 03, 2016 11:14 am Post subject:

thx!

_________________

gentoo user worked for me.thx!_________________

Ant P.









Joined: 18 Apr 2009

Posts: 6687

WatchmanJoined: 18 Apr 2009Posts: 6687

Posted: Thu Mar 03, 2016 5:38 pm Post subject: Dr.Willy wrote: What makes you think that gnutls is better in any way, shape or form?

The existence of this thread?

tnt









Joined: 27 Feb 2004

Posts: 1182

VeteranJoined: 27 Feb 2004Posts: 1182

Posted: Thu Mar 03, 2016 9:26 pm Post subject: Ant P. wrote: Dr.Willy wrote: What makes you think that gnutls is better in any way, shape or form?

The existence of this thread?



good one!

_________________

gentoo user good one!_________________

antonlacon









Joined: 27 Jun 2004

Posts: 255

ApprenticeJoined: 27 Jun 2004Posts: 255

Posted: Thu Mar 03, 2016 10:18 pm Post subject: Revdep-rebuild step for undefined symbols is using unstable gentoolkit?



Code: # revdep-rebuild -i -u



Encountered unrecognized option -u.



revdep-rebuild no longer automatically passes unrecognized options to portage.

Separate emerge-only options from revdep-rebuild options with the -- flag.



For example, revdep-rebuild -v -- --ask



See the man page or revdep-rebuild -h for more detail.



Code: # emerge -pv gentoolkit



These are the packages that would be merged, in order:



Calculating dependencies... done!

[ebuild R ] app-portage/gentoolkit-0.3.0.9-r2::gentoo PYTHON_TARGETS="python2_7 python3_4 (-pypy) -python3_3"

depontius









Joined: 05 May 2004

Posts: 3446

AdvocateJoined: 05 May 2004Posts: 3446

Posted: Thu Mar 03, 2016 11:51 pm Post subject: tnt wrote: Ant P. wrote: Dr.Willy wrote: What makes you think that gnutls is better in any way, shape or form?

The existence of this thread?



good one! good one!



What to think, what to think.... One quick simple search, top hits:

http://www.zdnet.com/article/gnutls-big-internal-bugs-few-real-world-problems/

http://resources.infosecinstitute.com/vulnerabilities-openssl-gnutls-earthquake-internet-encryption/

https://www.quora.com/How-does-one-decide-between-OpenSSL-GnuTLS-and-Mozillas-NSS

http://stackoverflow.com/questions/7008597/securing-udp-openssl-or-gnutls-or

http://www.pcworld.com/article/2105145/what-you-need-to-know-about-the-gnutls-linux-bug.html

https://news.ycombinator.com/item?id=7347500



Much of this, especially with respect to gnutls is old. The newest revelations are about openssl, but some of the problems with gnutls appear to be at the ABI level, not simply an implementation issue.

_________________

.sigs waste space and bandwidth What to think, what to think.... One quick simple search, top hits:Much of this, especially with respect to gnutls is old. The newest revelations are about openssl, but some of the problems with gnutls appear to be at the ABI level, not simply an implementation issue._________________.sigs waste space and bandwidth

Ant P.









Joined: 18 Apr 2009

Posts: 6687

WatchmanJoined: 18 Apr 2009Posts: 6687

Posted: Fri Mar 04, 2016 1:02 am Post subject: Note that I very deliberately didn't say anything about gnutls up there other than mentioning it's an option. Both libs suck (unavoidably, because they're implementations of the horrifically brain-damaged X509/SSL/TLS/CA stack), but you can't deny that OpenSSL in particular is most infamous for its black-hole-like properties.

Tony0945









Joined: 25 Jul 2006

Posts: 3994

Location: Illinois, USA AdvocateJoined: 25 Jul 2006Posts: 3994Location: Illinois, USA

Posted: Fri Mar 04, 2016 1:57 pm Post subject: Many thanks! I took the easier step of adding >=dev-libs/openssl-1.0.2g to /usr/portage/package.mask/badapps

limn









Joined: 13 May 2005

Posts: 997

l33tJoined: 13 May 2005Posts: 997

Posted: Fri Mar 04, 2016 3:40 pm Post subject: Thank you ccache.

Steffen









Joined: 14 Jul 2002

Posts: 159

ApprenticeJoined: 14 Jul 2002Posts: 159

Posted: Sat Mar 05, 2016 5:59 am Post subject: On my stable amd64 system, I've unmasked openssl-1.0.2g-r2 which seems to be OpenSSL 1.0.2g with re-enabled SSLv2 and thus avoids the ABI break. However, you then have to carefully disable SSLv2 (and while you're at it: SSLv3) in all daemons.



Until the Gentoo developers decide how to handle this situation, I think this is better than continuing to use OpenSSL 1.0.2f.

Dr.Willy









Joined: 15 Jul 2007

Posts: 518

Location: NRW, Germany GuruJoined: 15 Jul 2007Posts: 518Location: NRW, Germany

Posted: Sat Mar 05, 2016 2:16 pm Post subject: Ant P. wrote: Note that I very deliberately didn't say anything about gnutls up there other than mentioning it's an option.

Well yes, you did.

You explicitly said it "might be a good idea to" use gnutls over openssl. Which it is not, because both are a pile of poo. But with gnutls you at least have the option to stay away from it, because almost no packages use it - and it is wise to keep it that way.

Look at the options for CURL_SSL again - and tell me which ones you would actually recommend.

Ant P.









Joined: 18 Apr 2009

Posts: 6687

WatchmanJoined: 18 Apr 2009Posts: 6687

Posted: Sat Mar 05, 2016 5:37 pm Post subject: If it was a practical choice, I'd rather USE="-ssl"... failing that, I'm waiting for the day I can start using libressl.



And until then, I'll just settle for avoiding the lib where the hardest part of finding an exploit seems to be coming up with a catchy logo and domain name for it.

khayyam









Joined: 07 Jun 2012

Posts: 6227

Location: Room 101 WatchmanJoined: 07 Jun 2012Posts: 6227Location: Room 101

Posted: Sat Mar 05, 2016 8:24 pm Post subject: Ant P. wrote: And until then, I'll just settle for avoiding the lib where the hardest part of finding an exploit seems to be coming up with a catchy logo and domain name for it.

Ant ... I don't know, you also have think up a suitable name, and choosing between 'sslop', 'sslam' and 'sslut' isn't *that* easy ;)



best ... khay

lutel









Joined: 19 Oct 2003

Posts: 95

Location: Pomroczna Tux's lil' helperJoined: 19 Oct 2003Posts: 95Location: Pomroczna

Posted: Thu Nov 09, 2017 10:21 pm Post subject: This thread is more than year old, dev-libs/openssl-1.0.2m is stable in tree, we should rather move to openssl 1.1.0.

Hu









Joined: 06 Mar 2007

Posts: 15809

ModeratorJoined: 06 Mar 2007Posts: 15809

Posted: Fri Nov 10, 2017 2:25 am Post subject: This thread was more than a year old, so why wake it up to make a comment that is not relevant to the original thread? Also, note that openssl-1.1.x is currently both unstable and hard-masked, both for good reason, so many people are not even offered that update.