Does Sabnzbd use any part of the Open SSL source to provide the "security" in the server connection setup location, with SSL connectivity?
Heartbleed bug will need to be fixed.
http://heartbleed.com/
Sabnzbd SSL Heartbleed Bug?
Forum rules
Help us help you:
Help us help you:
- Are you using the latest stable version of SABnzbd? Downloads page.
- Tell us what system you run SABnzbd on.
- Adhere to the forum rules.
- Do you experience problems during downloading?
Check your connection in Status and Interface settings window.
Use Test Server in Config > Servers.
We will probably ask you to do a test using only basic settings. - Do you experience problems during repair or unpacking?
Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Re: Sabnzbd SSL Heartbleed Bug?
We're using fairly old libraries for the binaries, which do not have this bug.
If you have seen otherwise, please report.
If you're running a Linux package or from source, it depends on which OpenSSL libraries you installed.
If you have seen otherwise, please report.
If you're running a Linux package or from source, it depends on which OpenSSL libraries you installed.
Re: Sabnzbd SSL Heartbleed Bug?
As shypike said: the sabnzbd "source" release relies on the operating system for openssl support. Note that you're also using this if you installed a package for any Linux/Unix-based operating system (which includes most types of NAS), as these are all based on the source releases. Look for an updated and/or patched openssl version supplied by the OS/vendor and install that. Major distributions have already published such updates as part of their normal security fixes.
After updating, don't forget to restart every program or service that uses SSL (or simply reboot if unsure)!
After updating, don't forget to restart every program or service that uses SSL (or simply reboot if unsure)!
Re: Sabnzbd SSL Heartbleed Bug?
The latest Windows version uses OpenSSL 0.9.8l, which has 21 vulnerabilities, even if you do not count the latest vulnerabilities from a few weeks ago: https://www.openssl.org/news/secadv_20140605.txt
https://www.openssl.org/news/openssl-0.9.8-notes.html
If you don't want to upgrade to the 1.0.0 or 1.0.1 branches, please at least update to the latest 0.9.8za version.
https://www.openssl.org/news/openssl-0.9.8-notes.html
If you don't want to upgrade to the 1.0.0 or 1.0.1 branches, please at least update to the latest 0.9.8za version.
Re: Sabnzbd SSL Heartbleed Bug?
We're looking at this.
Re: Sabnzbd SSL Heartbleed Bug?
use python 2.7.7, it comes with a much newer version of openssl.
Code: Select all
>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
> C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014
Re: Sabnzbd SSL Heartbleed Bug?
On my Ubuntu 14.04 laptop I get:zoggy wrote:use python 2.7.7, it comes with a much newer version of openssl.
Code: Select all
>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION" > C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014
Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
/usr/lib/python2.7/lib-dynload/_ssl.x86_64-linux-gnu.so OpenSSL 1.0.1f 6 Jan 2014
sander@flappie:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty
On my Ubuntu 12.04 system, succesfully running SABnzbd:
Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION"
Traceback (most recent call last):
File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute '__file__'
sander@haring:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise
>>> print _ssl.OPENSSL_VERSION
OpenSSL 1.0.1 14 Mar 2012
So this is very old?
Furthermore:
In the SAB source code, I see "from OpenSSL import SSL". Does that mean SAB import another version?
FWIW:
Code: Select all
>>> from OpenSSL import SSL
>>> print SSL.OPENSSL_VERSION_NUMBER
268439663
Re: Sabnzbd SSL Heartbleed Bug?
Switching over to Python 2.7 on Windows has many consequences.
One is that an essential VisualStudio DLL is missing on many Windows systems, but that's fixable.
Another is the very reason I never upgraded: there's a serious memory leak in Windows Python 2.7.
I will have to examine this again.
This probably means that there will be no upgrade to Python 2.7 before 0.8.0
The OSX builds use the latest Python that works for the version of the OS.
For other platforms it's determined by the package builder.
One is that an essential VisualStudio DLL is missing on many Windows systems, but that's fixable.
Another is the very reason I never upgraded: there's a serious memory leak in Windows Python 2.7.
I will have to examine this again.
This probably means that there will be no upgrade to Python 2.7 before 0.8.0
The OSX builds use the latest Python that works for the version of the OS.
For other platforms it's determined by the package builder.
Re: Sabnzbd SSL Heartbleed Bug?
python 2.5 and older did not have ssl natively supported.. you have to install a lib. for 2.6+ its included (if the version you isntall was built with it)..
http://legacy.python.org/dev/peps/pep-0466/
for the sb binaries i switched to 2.7.7 so people can benefit from the security fixes. The ssl included in python 2.6.x is so old it was pre-heartbleed... i honestly have not seen any memory leaks with python 2.7.x. shypike maybe you just need to load up dowser and check for whats causing it? http://www.aminus.net/wiki/Dowser
also, you really should drop support for python 2.5.x that way you can just use native json, use timeouts for url calls, use libs like Requests, not have to deal with stupid hacks like 401 httperror / decimal rounding / etc. about 6-8 months ago i went on a quest to find any nas that was stuck on 2.5.. i was unable to find one. seems like everyone is deff on 2.6 or 2.7 these days (or even 3.x).
about the python 2.7.x ssl and related security updates:OpenSSL may be upgraded to more recent feature releases in Python 2.7 maintenance releases. On Linux and most other POSIX systems, the specific version of OpenSSL used already varies, as CPython dynamically links to the system provided OpenSSL library by default.
http://legacy.python.org/dev/peps/pep-0466/
for the sb binaries i switched to 2.7.7 so people can benefit from the security fixes. The ssl included in python 2.6.x is so old it was pre-heartbleed... i honestly have not seen any memory leaks with python 2.7.x. shypike maybe you just need to load up dowser and check for whats causing it? http://www.aminus.net/wiki/Dowser
also, you really should drop support for python 2.5.x that way you can just use native json, use timeouts for url calls, use libs like Requests, not have to deal with stupid hacks like 401 httperror / decimal rounding / etc. about 6-8 months ago i went on a quest to find any nas that was stuck on 2.5.. i was unable to find one. seems like everyone is deff on 2.6 or 2.7 these days (or even 3.x).
Re: Sabnzbd SSL Heartbleed Bug?
the openssl_version_number format:sander wrote:On my Ubuntu 14.04 laptop I get:zoggy wrote:use python 2.7.7, it comes with a much newer version of openssl.
Code: Select all
>python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION" > C:\Python27\DLLs\_ssl.pyd OpenSSL 1.0.1g 7 Apr 2014
"OpenSSL 1.0.1f 6 Jan 2014", so this system is not uptodate?Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION" /usr/lib/python2.7/lib-dynload/_ssl.x86_64-linux-gnu.so OpenSSL 1.0.1f 6 Jan 2014 sander@flappie:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04 LTS Release: 14.04 Codename: trusty
On my Ubuntu 12.04 system, succesfully running SABnzbd:
Code: Select all
$ python -c "import _ssl; print _ssl.__file__, _ssl.OPENSSL_VERSION" Traceback (most recent call last): File "<string>", line 1, in <module> AttributeError: 'module' object has no attribute '__file__' sander@haring:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 12.04.4 LTS Release: 12.04 Codename: precise >>> print _ssl.OPENSSL_VERSION OpenSSL 1.0.1 14 Mar 2012
So this is very old?
Furthermore:
In the SAB source code, I see "from OpenSSL import SSL". Does that mean SAB import another version?
FWIW:Code: Select all
>>> from OpenSSL import SSL >>> print SSL.OPENSSL_VERSION_NUMBER 268439663
MMNNFFPPS: major minor fix patch status
The status nibble has one of the values 0 for development, 1 to e for betas 1 to 14, and f for release.
fyi, openssl_version_number should be hex.. so
268439663 == 0x1000106F == 1.0.1 f
anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).
Re: Sabnzbd SSL Heartbleed Bug?
Both are fully updated Ubuntu boxes. So that means Canonical/Ubuntu does not update python or ssl, or there is something wrong in my update settings.zoggy wrote:
anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).
Re: Sabnzbd SSL Heartbleed Bug?
curious to know if you have the shipped version of ssl still.. paste the output of: sudo dpkg -l | grep ' openssl 'sander wrote:Both are fully updated Ubuntu boxes. So that means Canonical/Ubuntu does not update python or ssl, or there is something wrong in my update settings.zoggy wrote:
anyways if the ssl lib is statically linked..you need to update python.. if its dynamically linked then just update ssl on the box (openssl).
generally older versions of ubuntu dont get updates pushed out to the package manager unless something big happens,
per heartbleed.com, "OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable" so yes you need to be upgraded. usually you just need to do apt-get update / upgrade. if that doesnt work then purge and reinstall... and last resort.. upgrade manually.
tutorial of what to do:
http://askubuntu.com/questions/444702/h ... in-openssl
and if that doesnt work, refer to:
http://superuser.com/questions/740930/a ... st-version
Re: Sabnzbd SSL Heartbleed Bug?
Relax, updates in release-based distributions are typically done as (backported) minimum change fixes to whatever came with the os when it was released. See the "ubuntu changelog" linked from http://packages.ubuntu.com/trusty/openssl or /usr/share/doc/<packagename>/changelog.Debian.gz on your own system. Only packages (such as sab) that are "community-supported" (i.e., in universe/multiverse rather than "main") may require manual intervention for security fixes, because there's no guarantee somebody will take care of those.
Re: Sabnzbd SSL Heartbleed Bug?
On my fully updated Ubuntu 14.04, with about all update sources checked,
So I did:
then a reboot, and still:
Tips?
Code: Select all
sander@flappie:~$ sudo dpkg -l | grep ' openssl '
ii openssl 1.0.1f-1ubuntu2.4 amd64 Secure Sockets Layer toolkit - cryptographic utility
sander@flappie:~$
Code: Select all
sudo apt-get install --reinstall libssl1.0.0
sudo dpkg --force-all --remove libssl1.0.0
sudo apt-get clean && sudo apt-get install libssl1.0.0
then a reboot, and still:
Code: Select all
$ sudo dpkg -l | grep ' openssl '
ii openssl 1.0.1f-1ubuntu2.4 amd64 Secure Sockets Layer toolkit - cryptographic utility