From owner-freebsd-security@FreeBSD.ORG Sun Apr 27 15:09:03 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 41531594 for ; Sun, 27 Apr 2014 15:09:03 +0000 (UTC) Received: from pacha.mail.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D2DF01CA2 for ; Sun, 27 Apr 2014 15:09:02 +0000 (UTC) Received: from catnip.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) by pacha.mail.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id s3RF8sSq014086 for ; Sun, 27 Apr 2014 16:08:54 +0100 (BST) (envelope-from jamie@catnip.dyslexicfish.net) Received: (from jamie@localhost) by catnip.dyslexicfish.net (8.14.5/8.14.5/Submit) id s3RF8sMA014085 for freebsd-security@freebsd.org; Sun, 27 Apr 2014 16:08:54 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> Date: Sun, 27 Apr 2014 16:08:53 +0100 To: freebsd-security@freebsd.org Subject: ports requiring OpenSSL not honouring OpenSSL from ports User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (pacha.mail.dyslexicfish.net [91.109.5.35]); Sun, 27 Apr 2014 16:08:54 +0100 (BST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 15:09:03 -0000 One of the first things I do on installing a new machine is install OpenSSL from ports. I do build with base OpenSSL due to the many programs that depend on it, but using ports OpenSSL for ports makes things easier to patch/update. In the case of Heartbleed, for example, I was able to fix ports OpenSSL much sooner than base. In the process, however, I discovered a couple of ports that built against base even when the port was installed. I was going to supply patches / notify the maintainers, but first did a check, and discovered that a lot of current ports do similar. It turns out that this wasn't a problem specifically, but more generally, it's possible that someone may think a port has been patched when it hasn't. Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* build against the port if it's installed? I realise this isn't always possible to test, especially if the port Makefile doesn't have any openSSL configuration options, but I'd like to hear others opinions on the matter. [ Not crossposted to ports@ as I'm unsure onbcross-posting etiqurtte, but feel free to add them in if appropriate ] Cheers, Jamie -- No sig