Old LM17.? needs newer OpenSSL

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Hi SMG:

Good Info:

I agree with what you said. The system is originally vintage 2011 with many upgrades both LMuprades and PCupgrades and I have made many many many changes to it since then. That is why I install to the second backup as a test before I install to my personal production system.

I will keep it in mind there is a driver problem, but I will leave sleeping dogs lie until I have a problem.

Good Info, Thanks! - Mike
Reddog1
Level 7
Level 7
Posts: 1865
Joined: Wed Jun 01, 2011 2:12 pm

Re: Old LM17.? needs newer OpenSSL

Post by Reddog1 »

Just an aside, and for what, to me, is an interesting thread. Kernel vulnerabilities don't normally fix things beyond what are termed 'local vulnerabilities', where the miscreant must be sitting at the keyboard to effect an exploit, because other vulnerabilities are very rare. Back in 2019, there was a kernel vulnerability that was REMOTE, whereby someone, somewhere on the internet, could gain access to a linux system. Using the kernel that you are using, I would suspect that this hasn't been fixed on your system. Just saying......

Furthermore, running off an SD card is somewhat of an 'iffy' way to operate, over time. I've done it myself, but be aware that those memory cards have a finite life, with a limited number of read/write cycles, and a shorter life span than a dedicated hard drive (either spinner or ssd). If you've been running off an SD card for 5 years or more, you are operating on borrowed time. The card could work for years more, or fail tomorrow. The likelyhood of failure of your SD is definitely higher than a 'real' drive.

About OpenSSL. My guess (and it is only a guess), is that the newest version of SSL will have dependencies that your old system will not be capable of satisfying, because no repositories exist for it, and even if they did, they would be years out of date with software versions long since relegated to the junk heap.
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Hi Reddog1:

Thanks for your interest and comments, they are useful.

I'm not saying my system is perfect but I do my best to protect it and try to compensate for vulnerabilities. I am scared of viruses. I do take measures to protect it, but nothing is perfect. Can you point to a reference of the vulnerability so I can read about it and try to compensate for it? Surely this system has its vulnerabilities and I would like to know more and learn about the specific issue you are talking about.

Early on there were issues of USB thumb drives die-ing from overuse and I have my share of broken ones from that cause. However I have had very little problems (1) in the last about 5 years with the line of USB flash drives I am using. I figure my failure rate about matches the failure rate of rotating storage now, but it wasn't that way when I first started using them, the failure rate was horrible. If you want to see how much beating this flash drive takes, issue the command

Code: Select all

sudo iotop -aoP
and you will see lots - LOTS of disk activity, and this flash drive is still working fine. Yep, I've been bit by this, but not much (not really) in the last several years. I am kinda stupid about sticking with the exact brand and line of USB drives because I did find something that works. I wish there was a way to have a live system that minimized the number of disk writes, why hasn't anyone made that yet?

OpenSSL, your comment is quite/very useful, thank you. I will head it.

Good information you have. I'm looking forward to reading about the LM17 vulnerability if you can find the article you talked about.

Thanks! Thanks a lot! - Mike
User avatar
JerryF
Level 16
Level 16
Posts: 6543
Joined: Mon Jun 08, 2015 1:23 pm
Location: Rhode Island, USA

Re: Old LM17.? needs newer OpenSSL

Post by JerryF »

Not sure if you're going to get a lot of support for an obsolete version of Mint.

:?
Reddog1
Level 7
Level 7
Posts: 1865
Joined: Wed Jun 01, 2011 2:12 pm

Re: Old LM17.? needs newer OpenSSL

Post by Reddog1 »

Can you point to a reference of the vulnerability so I can read about it and try to compensate for it?


It's a kernel vulnerability. Only a kernel patch has the ability to fix it, which happened within a day of announcement. I have no idea if your kernel 3.xx was ever patched.


https://www.securityweek.com/serious-vu ... os-attacks
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Thank You RedDog1, I will read it very carefully.
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Hi All:

I read the article that reddog1 referenced at
https://www.securityweek.com/serious-vu ... os-attacks
and the problem stems from a specially crafted TCP packet.

Can someone tell me if I am right or wrong that a specially crafted (and not requested) TCP packet can be and normally is blocked by either a router or/and is also normally blocked by a firewall?

Thanks! - Mike
pbear
Level 16
Level 16
Posts: 6569
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Old LM17.? needs newer OpenSSL

Post by pbear »

mikecolley wrote: Sun Jun 26, 2022 6:09 pm Hopefully one of the ways will include all the drivers(like the live system) so the system will work on any PC.
Any USB full install has all the drivers a live session has, as both rely on the kernel. What's tricky is boot mode, BIOS vs. UEFI.

By the way, the one thing you've not mentioned is whether you're able to update your internet browser. That's the biggest exposure, imho.

Out of curiosity, how do you have 198 GB of files saved on root? As I recall, LiLi used a casper file (as did almost all persistence apps in those days), which would have been limited to 4 GB. And even a casper partition would be separate from root.
pbear
Level 16
Level 16
Posts: 6569
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Old LM17.? needs newer OpenSSL

Post by pbear »

Anyhoo, as regards the original question, what happens if you download the 1.1.1 OpenSSL tarball and try installing with that?

I'd expect dependencies which won't be satisfied out-of-the-box, but maybe a way to sneak 'em in.
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Hi pbear:

Thanks for the questions.

The LILI method created a msdos partition for use. I discovered I could use ext3, it worked just fine. That eliminated the size requirement so now I have all my data and all the linux files in the same huge partition. My method is to just keep trying stuff, sometimes you find something that works, like using ext3 in LILI. I'm pathetically persistent, sorry world.

I was thinking about 1.1.1 OpenSSL like you mentioned, a minimal amount of revision upgrade in the hopes of not breaking any dependencies. I looked it up and found it, but I'm not a programmer and as of right now, I haven't read all the directions that go with it, and what I read still takes a second or third read to understand what is going on and what to do. Another option for me is to just do nothing. I have the weekends to do stuff like this and use my live backup as an experimental base to see if Installing something new works or breaks my LM17 because that is when I am backing up my main USB on another computer. During the period of main USB being backed up I use my live backup USB to access the internet, takes about 2.5 hours but I seldom get my main USB back in gear right away. (side note that backing up --TO-- USB takes about 8 hours) As I was reading about OpenOffice 1.1.1._ I noticed a couple other files were included in that tarball, and I thought that those might be the dependencies??- maybe- possibly?

By the way, my memory is fuzzy, but I thought years ago that I disabled ssh login into this (my main) computer because I was afraid of vulnerabilities. I am able however to ssh from here into my other computers.

Years ago I read a forum post here on LM forums where someone was complaining the video drivers for their system didn't work but they said to add insult to injury the live system did work. That sold me on trying to stay with the live system, it just works anywhere.

I was reading about BIOS and UEFI and the four ways to install linux mint. I would try the install method that works on both BIOS and UEFI, and I would probably install LMDE5 because it looks to last longer. My USB drive is starting to get full and I guess I have about a year left before it fills up. At that time I would go to a 512GB thumb flash USB drive (of the same model line). I buy them by the pair so I can have a live backup (even though the live backup would be a couple days old). That 512GB would probably take several days considering nothing goes seamlessly so that would be a good time to convert to LMDE5.

My internet browser is FireFox 94.0.2. I expect to soon allow a upgrade to 102 or 103, the version 95 had problems with this system. My LibreOffice is 7.3.3.1. because I want larger spreadsheets and 7.3.3.1 still has problems with large spreadsheets.

I hope I answered all your questions pbear. My initial question is still unanswered so I can't mark this thread solved. Feel free to ask if you want more information, I will do what I can to help.

This is the first of the month so I might be too busy for this weekend to install 1.1.1 on the backup USB drive.

Thanks! - Mike
User avatar
SMG
Level 25
Level 25
Posts: 31047
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: Old LM17.? needs newer OpenSSL

Post by SMG »

mikecolley wrote: Fri Jul 01, 2022 9:21 amYears ago I read a forum post here on LM forums where someone was complaining the video drivers for their system didn't work but they said to add insult to injury the live system did work. That sold me on trying to stay with the live system, it just works anywhere.
Years ago the software was different, so one should not assume "years ago" still applies today. Additionally, I can not recall anyone complaining the videos drivers work on the live system, but not on the installed system. In fact, the reverse is usually true.
Image
A woman typing on a laptop with LM20.3 Cinnamon.
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Hi SMG:

First, thank you for your earlier advice about LMDE5. I will probably use it when I upgrade to larger USB drive(s). I buy them in pairs so I can have a live backup.

Years ago the software was different, but I haven't seen any announcement about the philosophy of the video drivers changing. I had no choice except to believe it hadn't changed. Sorry for not knowing.

Hats off to you SMG, Thanks!

- Mike
pbear
Level 16
Level 16
Posts: 6569
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Old LM17.? needs newer OpenSSL

Post by pbear »

mikecolley wrote: Fri Jul 01, 2022 9:21 am I was reading about BIOS and UEFI and the four ways to install linux mint. I would try the install method that works on both BIOS and UEFI, and I would probably install LMDE5 because it looks to last longer. My USB drive is starting to get full and I guess I have about a year left before it fills up. At that time I would go to a 512GB thumb flash USB drive (of the same model line). I buy them by the pair so I can have a live backup (even though the live backup would be a couple days old). That 512GB would probably take several days considering nothing goes seamlessly so that would be a good time to convert to LMDE5.
Don't be surprised if LiLi won't work with LMDE5. Indeed, I'd be astonished if it did. If you want to stay with live + persistence, look into one of the other apps, especially Rufus in Windows and mkUSB in Linux. Both use a casper partition, so no limit on size.

I'm not going to try to talk you into full install, except to point out you would save a lot of time on backups. Let me know if you have any questions.
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Hi pbear:

in an earlier post, SMG mentioned about four ways to install
and also mentioned about LMDE5. The method that results in both BIOS and UEFI compatibility is the method I will attempt first, regular install if I remember right. I don't plan to use LILI in the future, but it is working fine for now.

I would love to get my hands on an already installed system so I could dd it to a 512GB drive with not much work. I haven't found one to copy yet.

Thanks! Mike
pbear
Level 16
Level 16
Posts: 6569
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Old LM17.? needs newer OpenSSL

Post by pbear »

If you're thinking about full install after all, notice there are two hybrid boot procedures. The original (when I wrote the tutorial) works well, so long as you don't mind disabling secure boot. If you need secure boot compatibility, use Reverse Hybrid.

ETA: While still fresh in my mind, I'd like to explain how I would mirror two full install USB drives using rsync instead of Clonezilla. The main advantage of rsync is that it only needs to copy changed and new files (also will delete files no longer at source). Takes only minutes to run, rather than hours. I'd do this from a third small flash drive (4 GB would be plenty), live boot with persistence, as it will be a cleaner sync. If you have a Windows machine handy, use Rufus to set up the small sync drive. Then I would leapfrog the full install drives, switching on backup day, to equalize wear.

If you've not worked with rsync before, I wouldn't call it easy, but it's easier than other stuff you've done. :wink: For an introduction, you might look at a couple of demos I wrote on using rsync for backup and transfer. Your case would be a hybrid of the two.

Be aware, for the rsync method to work, I'm pretty sure the UUIDs of the partitions on the two drives have to be different, i.e., labels different isn't enough. This means you would have to partition each drive separately, then rsync one over to the other. (conforming fstab as necessary). I suppose you could use dd and change the UUIDs afterwards, but rsync probably will be faster* and you're trying to learn it anyway. As the fstab files are different, you want to exclude them from sync. And there may be other useful exclusions I'm not thinking of, as I've not done your exact scenario.

One last tip. If you read articles, you'll see people who set up rsync backups as scripts. If you're into scripting go for it, but it's not necessary. You can work out the command strings, put 'em in a text file on the little persistent drive, and use copy-and-paste to run. That's what I do.

ETA2 (+): Out of curiosity, I decided to test mirroring, using a recent install of MX Linux to flash drive as my subject. Turns out I was wrong about different labels not being enough to support rsync between two otherwise identical drives. Copied partitions from first drive to another using GParted. (BTW, leave a little space unallocated at end of partition table of source, as GParted will refuse to copy if target is too small by ANY amount; I ended up having to shrink the system partition on source by 10 MB to get the partition copy to go through, all this on identical flash drives).

You can clone one drive to the other with something else if you like. I used GParted because it's the fastest tool I know for copying ext4 partitions, as it uses commands which let it copy only space-in-use, where dd and tools using it have to copy everything. FYI, if using hybrid boot, GParted isn't able to clone the BIOS boot loader (not sure anything can), so you will have to manually install BIOS grub to the second drive. Also, while the UEFI boot loaders copy fine, you'll have to manually set the boot/esp flags on target.

Then I created labels for the system partitions, MX-Purple on one, MX-Green on the other (UUIDs the same). Booted MX-Purple and did an update, which was pretty large as this was a fresh installation. Booted a live session with persistence (as suggested above), did all the settings I usually do (main reason for wanting persistence), mounted both system partitions, then synced with:

Code: Select all

sudo rsync -axHAXv --delete /media/mint/MX-Purple/ /media/mint/MX-Green
Took about five minutes to run. Shut down live session. Boot MX-Green. Yup, it works. Check for updates, says "up to date." So, don't give the partitions different UUIDs and don't exclude fstab from sync. To understand the command string, consult tutorials linked above.

When you go to sync the other direction - and the idea is to go back and forth as standard procedure - you don't just swap source and target. There's a trailing slash on the former but not the latter (the rsync man page explains why). So, the opposite command looks like this:

Code: Select all

sudo rsync -axHAXv --delete /media/mint/MX-Green/ /media/mint/MX-Purple
Obviously the labels can be anything you like, but I suggest you make them equal rather than, say, Primary and Secondary. If colors don't appeal, something like Frick and Frack, Heads and Tails, or Thelma and Louise.

Understand, this was only a brief test. Doubtless there are wrinkles to work out, but I'm pretty confident the rsync strategy can be made to work.
Last edited by pbear on Tue Aug 16, 2022 2:21 pm, edited 4 times in total.
mikecolley
Level 3
Level 3
Posts: 118
Joined: Fri May 20, 2011 5:41 am

Re: Old LM17.? needs newer OpenSSL

Post by mikecolley »

Hi pbear:

I really like your rsync idea, I like it a lot. I now intend to change in the near future to use rsync. The last paragraph here is what I really need.

I really like your rsync idea, I like it a lot. Right now I use GParted to copy the entire gigantic 200Gig mint 17 partition to rotating storage as my backup strategy (2-3 Hrs) then copy that rotating partition back to a second identical to the first flash drive (8-24 Hrs) so I really have two backups with the second identical flash drive ready to plug in and go if the first one fails.

I stumbled across the buy date of the fash drives, it was Jan of 2021 and although the flash drive I use switches from one to the other every few months, they are both still working fine, but yes I am getting worried about over-usage of the individual flash drives so I spend hours at the backup alter (my religion).

I have recently lost about 6 hours of my weekday every day to spreadsheet processing of stock market investigation. That combined with how difficult and frustrating this thread has been and my natural tendency to be lazy -and- my being a LONG-COVID patient (I need a lot of sleep) has put this OpenSSL problem on the back burner temporarily. Compiling and installing OpenSSL shouldn't be hard to do, I just don't know how to do it. Besides otherwise my LM17 system is working perfectly for now.

On my part there is no perceived urgency to quickly install OpenSSL because my available time has been reduced about 6 hours every day looking for a way to make money in the stock market. I am now thinking of learning LibreOffice Base before python. Hopefully LO Base will be as fast as LO Calc. Calc is very fast if you don't use any formatting which formatting slows down LO Calc to a crawl but otherwise Calc is fast. I use lots of color in my spreadsheets, so slow slow slow.

Last Paragraph:
The original question however has been answered with one last problem on my part. The problem is I know how to download OpenSSL 1.11 but I don't know how to compile and install it to see if it will play nice with working and dependencies. I just don't know how to do that. Do you know of any simple tutorials I can follow with this old LM17 system to install OpenSSL 1.11 (or how to do it)? My proficiency level is command line user (user a lot) but not individual package compile-and-install with all dependencies. Can you suggest a tutorial. My LM17 synaptic packager tries to install OpenSSL version 1.0.1fubuntu2.21. I am friends with apt. I have done back-porting (with directions) in the past with apt and that has worked. I guess there are several paths to success, I'm just not familiar.

Thanks pbear - Mike
pbear
Level 16
Level 16
Posts: 6569
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Old LM17.? needs newer OpenSSL

Post by pbear »

mikecolley wrote: Thu Aug 11, 2022 7:00 pm Do you know of any simple tutorials I can follow with this old LM17 system to install OpenSSL 1.11 (or how to do it)?
Sorry, no. And, frankly, I doubt there is one.
Locked

Return to “Software & Applications”