Page 1 of 1
Sabnzbd SSL Heartbleed Bug?
Posted: April 8th, 2014, 5:03 pm
by sirjaymz
Does Sabnzbd use any part of the Open SSL source to provide the "security" in the server connection setup location, with SSL connectivity?
Heartbleed bug will need to be fixed.
http://heartbleed.com/
Re: Sabnzbd SSL Heartbleed Bug?
Posted: April 9th, 2014, 1:46 am
by shypike
We're using fairly old libraries for the binaries, which do not have this bug.
If you have seen otherwise, please report.
If you're running a Linux package or from source, it depends on which OpenSSL libraries you installed.
Re: Sabnzbd SSL Heartbleed Bug?
Posted: April 9th, 2014, 3:10 am
by jcfp
As shypike said: the sabnzbd "source" release relies on the operating system for openssl support. Note that you're also using this if you installed a package for any Linux/Unix-based operating system (which includes most types of NAS), as these are all based on the source releases. Look for an updated and/or patched openssl version supplied by the OS/vendor and install that. Major distributions have already published such updates as part of their normal security fixes.
After updating, don't forget to restart every program or service that uses SSL (or simply reboot if unsure)!
Re: Sabnzbd SSL Heartbleed Bug?
Posted: June 16th, 2014, 1:41 pm
by oeskmtl
The latest Windows version uses OpenSSL 0.9.8l, which has 21 vulnerabilities, even if you do not count the latest vulnerabilities from a few weeks ago:
https://www.openssl.org/news/secadv_20140605.txt
https://www.openssl.org/news/openssl-0.9.8-notes.html
If you don't want to upgrade to the 1.0.0 or 1.0.1 branches, please at least update to the latest 0.9.8za version.
Re: Sabnzbd SSL Heartbleed Bug?
Posted: June 16th, 2014, 2:55 pm
by shypike
We're looking at this.
Re: Sabnzbd SSL Heartbleed Bug?
Posted: June 16th, 2014, 4:30 pm
by oeskmtl
Thanks
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 1st, 2014, 8:41 am
by zoggy
use python 2.7.7, it comes with a much newer version of openssl.
Code: Select all
>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
> C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 1st, 2014, 12:23 pm
by sander
zoggy wrote:use python 2.7.7, it comes with a much newer version of openssl.
Code: Select all
>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
> C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014
On my Ubuntu 14.04 laptop I get:
Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
/usr/lib/python2.7/lib-dynload/_ssl.x86_64-linux-gnu.so OpenSSL 1.0.1f 6 Jan 2014
sander@flappie:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty
"OpenSSL 1.0.1f 6 Jan 2014", so this system is not uptodate?
On my Ubuntu 12.04 system, succesfully running SABnzbd:
Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
Traceback (most recent call last):
File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute '__file__'
sander@haring:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise
>>> print _ssl.OPENSSL_VERSION
OpenSSL 1.0.1 14 Mar 2012
So this is very old?
Furthermore:
In the SAB source code, I see "from OpenSSL import SSL". Does that mean SAB import another version?
FWIW:
Code: Select all
>>> from OpenSSL import SSL
>>> print SSL.OPENSSL_VERSION_NUMBER
268439663
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 1st, 2014, 2:22 pm
by shypike
Switching over to Python 2.7 on Windows has many consequences.
One is that an essential VisualStudio DLL is missing on many Windows systems, but that's fixable.
Another is the very reason I never upgraded: there's a serious memory leak in Windows Python 2.7.
I will have to examine this again.
This probably means that there will be no upgrade to Python 2.7 before 0.8.0
The OSX builds use the latest Python that works for the version of the OS.
For other platforms it's determined by the package builder.
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 2nd, 2014, 12:39 am
by zoggy
python 2.5 and older did not have ssl natively supported.. you have to install a lib. for 2.6+ its included (if the version you isntall was built with it)..
OpenSSL may be upgraded to more recent feature releases in Python 2.7 maintenance releases. On Linux and most other POSIX systems, the specific version of OpenSSL used already varies, as CPython dynamically links to the system provided OpenSSL library by default.
about the python 2.7.x ssl and related security updates:
http://legacy.python.org/dev/peps/pep-0466/
for the sb binaries i switched to 2.7.7 so people can benefit from the security fixes. The ssl included in python 2.6.x is so old it was pre-heartbleed... i honestly have not seen any memory leaks with python 2.7.x. shypike maybe you just need to load up dowser and check for whats causing it?
http://www.aminus.net/wiki/Dowser
also, you really should drop support for python 2.5.x that way you can just use native json, use timeouts for url calls, use libs like Requests, not have to deal with stupid hacks like 401 httperror / decimal rounding / etc. about 6-8 months ago i went on a quest to find any nas that was stuck on 2.5.. i was unable to find one. seems like everyone is deff on 2.6 or 2.7 these days (or even 3.x).
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 2nd, 2014, 12:49 am
by zoggy
sander wrote:zoggy wrote:use python 2.7.7, it comes with a much newer version of openssl.
Code: Select all
>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
> C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014
On my Ubuntu 14.04 laptop I get:
Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
/usr/lib/python2.7/lib-dynload/_ssl.x86_64-linux-gnu.so OpenSSL 1.0.1f 6 Jan 2014
sander@flappie:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty
"OpenSSL 1.0.1f 6 Jan 2014", so this system is not uptodate?
On my Ubuntu 12.04 system, succesfully running SABnzbd:
Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
Traceback (most recent call last):
File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute '__file__'
sander@haring:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise
>>> print _ssl.OPENSSL_VERSION
OpenSSL 1.0.1 14 Mar 2012
So this is very old?
Furthermore:
In the SAB source code, I see "from OpenSSL import SSL". Does that mean SAB import another version?
FWIW:
Code: Select all
>>> from OpenSSL import SSL
>>> print SSL.OPENSSL_VERSION_NUMBER
268439663
the openssl_version_number format:
MMNNFFPPS: major minor fix patch status
The status nibble has one of the values 0 for development, 1 to e for betas 1 to 14, and f for release.
fyi, openssl_version_number should be hex.. so
268439663 == 0x1000106F == 1.0.1 f
anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 2nd, 2014, 11:01 am
by sander
zoggy wrote:
anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).
Both are fully updated Ubuntu boxes. So that means Canonical/Ubuntu does not update python or ssl, or there is something wrong in my update settings.
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 2nd, 2014, 5:32 pm
by zoggy
sander wrote:zoggy wrote:
anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).
Both are fully updated Ubuntu boxes. So that means Canonical/Ubuntu does not update python or ssl, or there is something wrong in my update settings.
curious to know if you have the shipped version of ssl still.. paste the output of: sudo dpkg -l | grep ' openssl '
generally older versions of ubuntu dont get updates pushed out to the package manager unless something big happens,
per heartbleed.com, "OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable" so yes you need to be upgraded. usually you just need to do apt-get update / upgrade. if that doesnt work then purge and reinstall... and last resort.. upgrade manually.
tutorial of what to do:
http://askubuntu.com/questions/444702/h ... in-openssl
and if that doesnt work, refer to:
http://superuser.com/questions/740930/a ... st-version
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 3rd, 2014, 6:57 am
by jcfp
Relax, updates in release-based distributions are typically done as (backported) minimum change fixes to whatever came with the os when it was released. See the "ubuntu changelog" linked from
http://packages.ubuntu.com/trusty/openssl or /usr/share/doc/<packagename>/changelog.Debian.gz on your own system. Only packages (such as sab) that are "community-supported" (i.e., in universe/multiverse rather than "main")
may require manual intervention for security fixes, because there's no guarantee somebody will take care of those.
Re: Sabnzbd SSL Heartbleed Bug?
Posted: July 3rd, 2014, 1:20 pm
by sander
On my fully updated Ubuntu 14.04, with about all update sources checked,
Code: Select all
sander@flappie:~$ sudo dpkg -l | grep ' openssl '
ii openssl 1.0.1f-1ubuntu2.4 amd64 Secure Sockets Layer toolkit - cryptographic utility
sander@flappie:~$
So I did:
Code: Select all
sudo apt-get install --reinstall libssl1.0.0
sudo dpkg --force-all --remove libssl1.0.0
sudo apt-get clean && sudo apt-get install libssl1.0.0
then a reboot, and still:
Code: Select all
$ sudo dpkg -l | grep ' openssl '
ii openssl 1.0.1f-1ubuntu2.4 amd64 Secure Sockets Layer toolkit - cryptographic utility
Tips?