Sabnzbd SSL Heartbleed Bug?

[sirjaymz]

Does Sabnzbd use any part of the Open SSL source to provide the "security" in the server connection setup location, with SSL connectivity?
Heartbleed bug will need to be fixed.

http://heartbleed.com/

[shypike]

We're using fairly old libraries for the binaries, which do not have this bug.
If you have seen otherwise, please report.
If you're running a Linux package or from source, it depends on which OpenSSL libraries you installed.

[jcfp]

As shypike said: the sabnzbd "source" release relies on the operating system for openssl support. Note that you're also using this if you installed a package for any Linux/Unix-based operating system (which includes most types of NAS), as these are all based on the source releases. Look for an updated and/or patched openssl version supplied by the OS/vendor and install that. Major distributions have already published such updates as part of their normal security fixes.

After updating, don't forget to restart every program or service that uses SSL (or simply reboot if unsure)!

[oeskmtl]

The latest Windows version uses OpenSSL 0.9.8l, which has 21 vulnerabilities, even if you do not count the latest vulnerabilities from a few weeks ago: https://www.openssl.org/news/secadv_20140605.txt
https://www.openssl.org/news/openssl-0.9.8-notes.html
If you don't want to upgrade to the 1.0.0 or 1.0.1 branches, please at least update to the latest 0.9.8za version.

[shypike]

We're looking at this.

[oeskmtl]

Thanks

[zoggy]

use python 2.7.7, it comes with a much newer version of openssl.

Code: Select all

>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
> C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014

[sander]

use python 2.7.7, it comes with a much newer version of openssl.

Code: Select all

>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
> C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014

On my Ubuntu 14.04 laptop I get:

Code: Select all

$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
/usr/lib/python2.7/lib-dynload/_ssl.x86_64-linux-gnu.so OpenSSL 1.0.1f 6 Jan 2014

sander@flappie:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04 LTS
Release:	14.04
Codename:	trusty

"OpenSSL 1.0.1f 6 Jan 2014", so this system is not uptodate?

On my Ubuntu 12.04 system, succesfully running SABnzbd:

Code: Select all

$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute '__file__'

sander@haring:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 12.04.4 LTS
Release:	12.04
Codename:	precise

>>> print _ssl.OPENSSL_VERSION
OpenSSL 1.0.1 14 Mar 2012

So this is very old?

Furthermore:

In the SAB source code, I see "from OpenSSL import SSL". Does that mean SAB import another version?
FWIW:

Code: Select all

>>> from OpenSSL import SSL
>>> print SSL.OPENSSL_VERSION_NUMBER
268439663

[shypike]

Switching over to Python 2.7 on Windows has many consequences.
One is that an essential VisualStudio DLL is missing on many Windows systems, but that's fixable.
Another is the very reason I never upgraded: there's a serious memory leak in Windows Python 2.7.
I will have to examine this again.
This probably means that there will be no upgrade to Python 2.7 before 0.8.0
The OSX builds use the latest Python that works for the version of the OS.
For other platforms it's determined by the package builder.

[zoggy]

python 2.5 and older did not have ssl natively supported.. you have to install a lib. for 2.6+ its included (if the version you isntall was built with it)..

OpenSSL may be upgraded to more recent feature releases in Python 2.7 maintenance releases. On Linux and most other POSIX systems, the specific version of OpenSSL used already varies, as CPython dynamically links to the system provided OpenSSL library by default.

about the python 2.7.x ssl and related security updates:
http://legacy.python.org/dev/peps/pep-0466/

for the sb binaries i switched to 2.7.7 so people can benefit from the security fixes. The ssl included in python 2.6.x is so old it was pre-heartbleed... i honestly have not seen any memory leaks with python 2.7.x. shypike maybe you just need to load up dowser and check for whats causing it? http://www.aminus.net/wiki/Dowser

also, you really should drop support for python 2.5.x that way you can just use native json, use timeouts for url calls, use libs like Requests, not have to deal with stupid hacks like 401 httperror / decimal rounding / etc. about 6-8 months ago i went on a quest to find any nas that was stuck on 2.5.. i was unable to find one. seems like everyone is deff on 2.6 or 2.7 these days (or even 3.x).

[zoggy]

use python 2.7.7, it comes with a much newer version of openssl.

Code: Select all

>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
> C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014

On my Ubuntu 14.04 laptop I get:

Code: Select all

$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
/usr/lib/python2.7/lib-dynload/_ssl.x86_64-linux-gnu.so OpenSSL 1.0.1f 6 Jan 2014

sander@flappie:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04 LTS
Release:	14.04
Codename:	trusty

"OpenSSL 1.0.1f 6 Jan 2014", so this system is not uptodate?

On my Ubuntu 12.04 system, succesfully running SABnzbd:

Code: Select all

$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute '__file__'

sander@haring:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 12.04.4 LTS
Release:	12.04
Codename:	precise

>>> print _ssl.OPENSSL_VERSION
OpenSSL 1.0.1 14 Mar 2012

So this is very old?

Furthermore:

In the SAB source code, I see "from OpenSSL import SSL". Does that mean SAB import another version?
FWIW:

Code: Select all

>>> from OpenSSL import SSL
>>> print SSL.OPENSSL_VERSION_NUMBER
268439663

the openssl_version_number format:
MMNNFFPPS: major minor fix patch status
The status nibble has one of the values 0 for development, 1 to e for betas 1 to 14, and f for release.

fyi, openssl_version_number should be hex.. so
268439663 == 0x1000106F == 1.0.1 f

anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).

[sander]

anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).

Both are fully updated Ubuntu boxes. So that means Canonical/Ubuntu does not update python or ssl, or there is something wrong in my update settings.

[zoggy]

anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).

Both are fully updated Ubuntu boxes. So that means Canonical/Ubuntu does not update python or ssl, or there is something wrong in my update settings.

curious to know if you have the shipped version of ssl still.. paste the output of: sudo dpkg -l | grep ' openssl '

generally older versions of ubuntu dont get updates pushed out to the package manager unless something big happens,

per heartbleed.com, "OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable" so yes you need to be upgraded. usually you just need to do apt-get update / upgrade. if that doesnt work then purge and reinstall... and last resort.. upgrade manually.

tutorial of what to do:
http://askubuntu.com/questions/444702/h ... in-openssl

and if that doesnt work, refer to:
http://superuser.com/questions/740930/a ... st-version

[jcfp]

Relax, updates in release-based distributions are typically done as (backported) minimum change fixes to whatever came with the os when it was released. See the "ubuntu changelog" linked from http://packages.ubuntu.com/trusty/openssl or /usr/share/doc/<packagename>/changelog.Debian.gz on your own system. Only packages (such as sab) that are "community-supported" (i.e., in universe/multiverse rather than "main") may require manual intervention for security fixes, because there's no guarantee somebody will take care of those.

[sander]

On my fully updated Ubuntu 14.04, with about all update sources checked,

Code: Select all

sander@flappie:~$ sudo dpkg -l | grep ' openssl '
ii  openssl                                                     1.0.1f-1ubuntu2.4                                   amd64        Secure Sockets Layer toolkit - cryptographic utility
sander@flappie:~$ 

So I did:

Code: Select all

sudo apt-get install --reinstall libssl1.0.0
sudo dpkg --force-all --remove libssl1.0.0
sudo apt-get clean && sudo apt-get install libssl1.0.0

then a reboot, and still:

Code: Select all

$ sudo dpkg -l | grep ' openssl '
ii  openssl                                                     1.0.1f-1ubuntu2.4                                   amd64        Secure Sockets Layer toolkit - cryptographic utility

Tips?