Smalltalk › Gemtalk › GLASS

[Glass] Heartbleed OpenSSL bug patch for GemStone

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

3 messages Options

Steve Rawley-2

[Glass] Heartbleed OpenSSL bug patch for GemStone

Dear GemStone Customers,

The OpenSSL cryptographic library, used by GemStone/S 64 Bit (version
3.0.0 and later only) for RPC session logins (client-to-gem
connections), has a critical security bug that potentially allows
private memory to be exposed to third parties.

More information on this bug can be found at:

http://heartbleed.com/

This bug has been fixed in OpenSSL version 1.0.1g. GemStone uses
OpenSSL as a shared library which can be replaced with minimal
disruption.

Download the libraries corresponding to your GemStone platform from:

http://downloads.gemtalksystems.com/pub/openssl-1.0.1g

There are two versions for most platforms, 32-bit and 64-bit. These
libraries replace the SSL libraries shipped in $GEMSTONE/lib and
$GEMSTONE/lib32 (%GEMSTONE%\bin on Windows). The libraries on the
download site are named for version 3.1.0.5; if you are patching an
older version of GemStone, rename them to match the existing SSL
libraries in $GEMSTONE/lib and $GEMSTONE/lib32.

We will publish a bug note with this information soon. No action is
necessary for versions of the 64-bit product prior to 3.0.0 or any
32-bit GemStone/S version; these versions do not use OpenSSL.

Please contact GemTalk customer support if you have any questions
about this patch.

Thank you,
Steve Rawley
_______________________________________________
Glass mailing list
[hidden email]
http://lists.gemtalksystems.com/mailman/listinfo/glass

Paul DeBruicker

Re: [Glass] Heartbleed OpenSSL bug patch for GemStone

Hi Steve,

Does the stone need to be shut down to apply these patches?

thanks

Paul

Steve Rawley-2 wrote

Dear GemStone Customers,

The OpenSSL cryptographic library, used by GemStone/S 64 Bit (version
3.0.0 and later only) for RPC session logins (client-to-gem
connections), has a critical security bug that potentially allows
private memory to be exposed to third parties.

More information on this bug can be found at:

http://heartbleed.com/

This bug has been fixed in OpenSSL version 1.0.1g. GemStone uses
OpenSSL as a shared library which can be replaced with minimal
disruption.

Download the libraries corresponding to your GemStone platform from:

http://downloads.gemtalksystems.com/pub/openssl-1.0.1g

There are two versions for most platforms, 32-bit and 64-bit. These
libraries replace the SSL libraries shipped in $GEMSTONE/lib and
$GEMSTONE/lib32 (%GEMSTONE%\bin on Windows). The libraries on the
download site are named for version 3.1.0.5; if you are patching an
older version of GemStone, rename them to match the existing SSL
libraries in $GEMSTONE/lib and $GEMSTONE/lib32.

We will publish a bug note with this information soon. No action is
necessary for versions of the 64-bit product prior to 3.0.0 or any
32-bit GemStone/S version; these versions do not use OpenSSL.

Please contact GemTalk customer support if you have any questions
about this patch.

Thank you,
Steve Rawley
_______________________________________________
Glass mailing list
[hidden email]
http://lists.gemtalksystems.com/mailman/listinfo/glass

Steve Rawley-2

Re: [Glass] Heartbleed OpenSSL bug patch for GemStone

Hi Paul,

Technically the stone does not need to be shut down; stopping all
sessions should be sufficient. The library is only loaded by GCI
clients (e.g. topaz) and gems. It is also used in hot standby systems,
so these would also need to be stopped. Administrative gems present
when stone starts (GC gems, symbol gem) do not load this library.

However, to make entirely certain all sessions are shut down, it is
probably a good idea to shut down the stone before replacing the
library.

Steve

On Wed, Apr 9, 2014 at 6:13 PM, Paul DeBruicker <[hidden email]> wrote:

> Hi Steve,
>
>
> Does the stone need to be shut down to apply these patches?
>
>
> thanks
>
> Paul
>
>
>
>
> Steve Rawley-2 wrote
>> Dear GemStone Customers,
>>
>> The OpenSSL cryptographic library, used by GemStone/S 64 Bit (version
>> 3.0.0 and later only) for RPC session logins (client-to-gem
>> connections), has a critical security bug that potentially allows
>> private memory to be exposed to third parties.
>>
>> More information on this bug can be found at:
>>
>> http://heartbleed.com/
>>
>> This bug has been fixed in OpenSSL version 1.0.1g. GemStone uses
>> OpenSSL as a shared library which can be replaced with minimal
>> disruption.
>>
>> Download the libraries corresponding to your GemStone platform from:
>>
>> http://downloads.gemtalksystems.com/pub/openssl-1.0.1g
>>
>> There are two versions for most platforms, 32-bit and 64-bit. These
>> libraries replace the SSL libraries shipped in $GEMSTONE/lib and
>> $GEMSTONE/lib32 (%GEMSTONE%\bin on Windows). The libraries on the
>> download site are named for version 3.1.0.5; if you are patching an
>> older version of GemStone, rename them to match the existing SSL
>> libraries in $GEMSTONE/lib and $GEMSTONE/lib32.
>>
>> We will publish a bug note with this information soon. No action is
>> necessary for versions of the 64-bit product prior to 3.0.0 or any
>> 32-bit GemStone/S version; these versions do not use OpenSSL.
>>
>> Please contact GemTalk customer support if you have any questions
>> about this patch.
>>
>> Thank you,
>> Steve Rawley
>> _______________________________________________
>> Glass mailing list
>
>> Glass@.gemtalksystems
>
>> http://lists.gemtalksystems.com/mailman/listinfo/glass
>
>
>
>
>
> --
> View this message in context: http://forum.world.st/Glass-Heartbleed-OpenSSL-bug-patch-for-GemStone-tp4753767p4753782.html
> Sent from the GLASS mailing list archive at Nabble.com.
> _______________________________________________
> Glass mailing list
> [hidden email]
> http://lists.gemtalksystems.com/mailman/listinfo/glass

_______________________________________________
Glass mailing list
[hidden email]
http://lists.gemtalksystems.com/mailman/listinfo/glass