* [Edbrowse-dev] freak attack @ 2015-03-05 16:10 Karl Dahlke 2015-03-06 20:28 ` Adam Thompson 0 siblings, 1 reply; 5+ messages in thread From: Karl Dahlke @ 2015-03-05 16:10 UTC (permalink / raw) To: Edbrowse-dev I also get the ssl connect error, and that's probably a good thing. Perhaps the site cannot downshift the encryption to a weak level. Karl Dahlke ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Edbrowse-dev] freak attack 2015-03-05 16:10 [Edbrowse-dev] freak attack Karl Dahlke @ 2015-03-06 20:28 ` Adam Thompson 2015-03-06 21:32 ` Chris Brannon 0 siblings, 1 reply; 5+ messages in thread From: Adam Thompson @ 2015-03-06 20:28 UTC (permalink / raw) To: Karl Dahlke; +Cc: Edbrowse-dev [-- Attachment #1: Type: text/plain, Size: 445 bytes --] On Thu, Mar 05, 2015 at 11:10:24AM -0500, Karl Dahlke wrote: > I also get the ssl connect error, and that's probably a good thing. > Perhaps the site cannot downshift the encryption to a weak level. I'm not sure about the test site, but from the looks of things I think if you upgrade your openssl library you'll be fine. From what I've seen of openssl, in general you should be updating this fairly regularly anyway. Cheers, Adam. [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 473 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Edbrowse-dev] freak attack 2015-03-06 20:28 ` Adam Thompson @ 2015-03-06 21:32 ` Chris Brannon 2015-03-09 22:44 ` Adam Thompson 0 siblings, 1 reply; 5+ messages in thread From: Chris Brannon @ 2015-03-06 21:32 UTC (permalink / raw) To: Edbrowse-dev Adam Thompson <arthompson1990@gmail.com> writes: > I'm not sure about the test site, but from the looks of things I think if you > upgrade your openssl library you'll be fine. Ok, here's the message I sent to Karl yesterday: <quote> Well, the freakattack.com site now has a test that doesn't rely on JavaScript. Try fetching the page https://cve.freakattack.com/ If it loads without errors, then your client is vulnerable, and the response is a plain text message saying "vulnerable". On my main machine, there is an error when I try to connect. It looks like this: SSL connect error in libcurl: error:1408D0F4:SSL routines:ssl3_get_key_exchange:unexpected message However, the statically-linked edbrowse binaries are vulnerable. It's been a few months since I've rebuilt them, so I need to refresh all the packages on the virtual build machines and rebuild them. For now, I've just pulled them from the site. </quote> I rebuilt and re-uploaded new static binaries after sending that, so anyone who is using them needs to get the new ones ASAP. As for the rest of us, all we need to do is make sure our libraries are all up to date and free of issues. -- Chris ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Edbrowse-dev] freak attack 2015-03-06 21:32 ` Chris Brannon @ 2015-03-09 22:44 ` Adam Thompson 2015-03-11 12:58 ` Chris Brannon 0 siblings, 1 reply; 5+ messages in thread From: Adam Thompson @ 2015-03-09 22:44 UTC (permalink / raw) To: Chris Brannon; +Cc: Edbrowse-dev [-- Attachment #1: Type: text/plain, Size: 1531 bytes --] On Fri, Mar 06, 2015 at 01:32:58PM -0800, Chris Brannon wrote: > Adam Thompson <arthompson1990@gmail.com> writes: > > > I'm not sure about the test site, but from the looks of things I think if you > > upgrade your openssl library you'll be fine. > > Ok, here's the message I sent to Karl yesterday: > > <quote> > Well, the freakattack.com site now has a test that doesn't rely on > JavaScript. Try fetching the page > https://cve.freakattack.com/ > If it loads without errors, then your client is vulnerable, and the > response is a plain text message saying "vulnerable". > On my main machine, there is an error when I try to connect. > It looks like this: > > SSL connect error in libcurl: > error:1408D0F4:SSL routines:ssl3_get_key_exchange:unexpected message > > However, the statically-linked edbrowse binaries are vulnerable. > It's been a few months since I've rebuilt them, so I need to refresh all > the packages on the virtual build machines and rebuild them. > For now, I've just pulled them from the site. > </quote> > > I rebuilt and re-uploaded new static binaries after sending that, > so anyone who is using them needs to get the new ones ASAP. > > As for the rest of us, all we need to do is make sure our libraries are > all up to date and free of issues. Thanks for being so on top of this issue. Given the nature of Edbrowse and the current security climate, I wonder if we need an automated system to rebuild these if we don't have one already? Cheers, Adam. [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 473 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Edbrowse-dev] freak attack 2015-03-09 22:44 ` Adam Thompson @ 2015-03-11 12:58 ` Chris Brannon 0 siblings, 0 replies; 5+ messages in thread From: Chris Brannon @ 2015-03-11 12:58 UTC (permalink / raw) To: Edbrowse-dev Adam Thompson <arthompson1990@gmail.com> writes: > I wonder if we need an automated system to rebuild these if we don't have one > already? Well, we definitely don't have one already. Here's what I do. I have a couple qemu hard disk images of Alpine Linux: one for i686 and one for x86_64. Alpine doesn't package a static readline library, and in fact, I don't think there's a clean way to build it in their ports system. But I'm a persistent fellow; I made static readline build for me. I also had to build Spidermonkey from source. So that's my infrastructure. I have a slightly customized makefile for building the static binaries, since the linker invocation requires that I specify a bunch of additional libraries that are pulled in automatically when linking dynamically. So now it's basically a matter of: 1. Booting my virtual machines, 2. Insuring that their system libraries are all up to date, 3. Building edbrowse and taring up the resultant binaries [1] 4. Copying them to my development machine 5. Signing the tar files with gpg 6. Uploading them to my web server. Most of that can be automated, with the possible exception of step 2. Is it worth the trouble? Maybe not right now. But it's definitely worth the 10 minutes it took me to document it, because if I get hit by a bus or something, you guys can recreate my process if you want. -- Chris ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-03-11 12:58 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-03-05 16:10 [Edbrowse-dev] freak attack Karl Dahlke 2015-03-06 20:28 ` Adam Thompson 2015-03-06 21:32 ` Chris Brannon 2015-03-09 22:44 ` Adam Thompson 2015-03-11 12:58 ` Chris Brannon
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).