Affected users should upgrade to OpenSSL 1.0.1g. Users unable to
immediately
upgrade can alternatively recompile OpenSSL with
-DOPENSSL_NO_HEARTBEATS.
(See
https://www.openssl.org/news/secadv_20140407.txt )
Hence you could do
env CFLAGS="... -DOPENSSL_NO_HEARTBEATS" ./sage -f openssl
and
./sage -f pyopenssl
or
env SAGE_UPGRADING=yes make build
afterwards.
But looking at the 1.0.1a spkg (all later ones apparently vanished), the
first step might not work out of the box, i.e., you'd have to slightly
modify its spkg-install file (bash script), changing
make # in 1.0.1c and later, this line is "$MAKE"
to
$MAKE CFLAGS="$CFLAGS"
or, while we're at it, directly and once for all
$MAKE CFLAGS="$CFLAGS -DOPENSSL_NO_HEARTBEATS"
since otherwise OpenSSL's Makefile will presumably override the settings
from your environment. (I'm not sure what changed in the 1.0.1f.p0 spkg
version; probably you wouldn't have to modify that.)
Or you could try -- no guarantees that this works at all (with the
current pyOpenSSL spkg, say) -- using
./sage -f
http://sagemath.org/packages/archive/openssl-1.0.0.p0.spkg
(and reinstalling pyopenssl etc. as above); versions prior to and
including 1.0.0 didn't have the heartbeat TLS extension.
In any case, don't forget to restart any running services using that
OpenSSL library.
-leif
P.S.: I'll probably provide a modified and / or updated OpenSSL spkg
later; to use a system-wide OpenSSL library from your distro, say, after
having built and used Sage's before, you'd have to delete some libraries
in $SAGE_ROOT/local/lib/, and presumably have to afterwards
rebuild/reinstall the Python spkg (not sure about that), and reinstall
PyOpenSSL.
--
() The ASCII Ribbon Campaign
/\ Help Cure HTML E-Mail