From owner-freebsd-security@FreeBSD.ORG Sun Apr 27 22:59:39 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 34586F75 for ; Sun, 27 Apr 2014 22:59:39 +0000 (UTC) Received: from pacha.mail.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4CEAA8D for ; Sun, 27 Apr 2014 22:59:38 +0000 (UTC) Received: from catnip.dyslexicfish.net (space.mail.dyslexicfish.net [91.109.5.35]) by pacha.mail.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id s3RMxafr095851 for ; Sun, 27 Apr 2014 23:59:36 +0100 (BST) (envelope-from jamie@catnip.dyslexicfish.net) Received: (from jamie@localhost) by catnip.dyslexicfish.net (8.14.5/8.14.5/Submit) id s3RMxaqM095850 for freebsd-security@freebsd.org; Sun, 27 Apr 2014 23:59:36 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201404272259.s3RMxaqM095850@catnip.dyslexicfish.net> Date: Sun, 27 Apr 2014 23:59:36 +0100 To: freebsd-security@freebsd.org Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> In-Reply-To: User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (pacha.mail.dyslexicfish.net [91.109.5.35]); Sun, 27 Apr 2014 23:59:36 +0100 (BST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 22:59:39 -0000 Paul Hoffman wrote: > Yes, that is a reasonable expectation. I certainly had it in my head when I rebuilt Sendmail+TLS after heartbleed, but I didn't think of checking it. Been there :-) Fortunately, sendmail 'does the right thing'! > It would be good to add such options to as many ports as possible if it can be done cleanly. This is more for ports@ than security@, but isn't mixing of 2 different versions potentially problematic? I have noticed one port that links against base, but uses libcurl which links against ports, so there is a version conflict there right away. I'd expect that some magic would need to be done in the bsd.ports.Mk files, as you can't necessarily tell from just scanning the port template. > Also, note that this is not bashing on OpenSSL: given their new significant funding, I would certainly expect the OpenSSL project to be finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. It is basically impossible to fix such a bug without bad actors being able to determine and exploit some of the fixes in unpatched systems. Ditto. My concern is more general, and aligned to the POLA principle! Cheers, Jamie