Date: Thu, 14 Jan 2016 10:24:23 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Bernard Spil <brnrd@freebsd.org>, Mark Felder <feld@freebsd.org> Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org, dinoex@freebsd.org Subject: Re: svn commit: r406060 - head/security/openssl Message-ID: <56977757.8020008@infracaninophile.co.uk> In-Reply-To: <b37724db3396a01132b3545b94fed020@imap.brnrd.eu> References: <201601131729.u0DHTCQF040857@repo.freebsd.org> <1452707787.2832948.491187474.31730688@webmail.messagingengine.com> <b37724db3396a01132b3545b94fed020@imap.brnrd.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FsasSeM7PbTauVI8tmATq5juT4tLjdOBj Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/13/16 19:16, Bernard Spil wrote: > On 2016-01-13 18:56, Mark Felder wrote: >> On Wed, Jan 13, 2016, at 11:29, Bernard Spil wrote: >>> Author: brnrd >>> Date: Wed Jan 13 17:29:12 2016 >>> New Revision: 406060 >>> URL: https://svnweb.freebsd.org/changeset/ports/406060 >>> >>> Log: >>> security/openssl: Fix No-SSLv3 option >>> >>> - This change adds `no-ssl3-method` to config args >>> - Bump portrevision >>> >>> Testing with security/openssl buillt with SSL3 option disabled [1] >>> revealed that the openssl binary and the libraries still support SS= Lv3 >>> connections and methods. With the added no-ssl3-method argument pas= sed >>> to the config script, the binary no longer supports the -ssl3 optio= n >>> and ports requiring SSLv3 methods fail on undefined references to >>> methods. >>> >>> PR: 203693 [1] >>> Reviewed by: koobs (mentor), feld (mentor, ports-secteam), dinoe= x >>> (maintainer) >>> Approved by: koobs (mentor), feld (mentor, ports-secteam >>> MFH: 2016Q1 >>> Differential Revision: D4924 >>> >> >> koobs and I (mentors) goofed up with the review process here. Dinoex a= s >> maintainer was not involved in the review or approval process, but we >> approved this commit and the commit log message. >> >> This change is a no-op for users who do not set SSL3=3Doff. >> >> Sorry, dinoex :-) > Hi, >=20 > I did send an email to dinoex with a request to review this patch. Afte= r > the 2 approvals I committed but should've held back... >=20 > For users that set SSL3=3Doff this is NOT a no-op. This may trigger bui= ld > failures for people, a list of known affected ports is maintained on > https://wiki.freebsd.org/OpenSSL/No-SSLv3. Luckily most major ports hav= e > already been patched. >=20 > Sorry... >=20 Yes, in hindsight, some sort of exp-run would have been appropriate here -- there's too much that depends on openssl to take liberties with that port. Now I'm getting moaned at because the nagios-plugins package amongst others are not available in our package repo. Which is particularly galling because this security fix only bit me due to using ports openssl and turning off SSLv2 and SSLv3 as *security* enhancements. Thanks to Bernard for his page of patches -- they're very welcome. Cheers, Matthew --FsasSeM7PbTauVI8tmATq5juT4tLjdOBj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWl3dXAAoJEABRPxDgqeTnhXMP/0k87NmswjzeTAtVYQp9d7Zh RDZlLZDTaOlJxwxhmRvIoTmLNyWdDKJ98+qKEi4kSD3mZHSu+Atz13O60KIGdX8+ d13w7NIkLledRYGzyLWmmcwsvbM8DYpwa2XICQyfvxbjqTzdm1gstwDER8CjiMXa efkLHDbaleZFAdA8bYDDfFihTIe59m4gvR5YdIWoZS5+p2Dy0W+datruzjBE9m+d Egi3Xf2Ur/3Bccewurwc1x5pc5uEp+GXgT6QrAK5cj1g+7RjhaqLluJ3epDQESPZ 4tDVmu7+FIELfOFFr1eL5+NobMtV/gX4k7I3dHRsuEWtOS6KYkPzMgYYG28tL2+R YgLDlCd67pTbLM1em7US4PfxDZZ1LiFGK524GXcp9SydFao/K5woq3kOXcvJ0TLy RziwzaEIQjaHtyb1i5cUd+u4iHmZfgSIvzKaUE7/QySJ6hw6dB3+T8Jds7AlJDp3 HmGq60O7mwSOC+n2XZY6sJ2Pzm7P20fqwSoVSJOv2F+6Zx/KClge67PZNpr2+JV6 2HQY7a3eYK+OeVwSahZGMiZQ7YRP7BCUOwQfR6ozASO85XheNwds6+VvJUWZk5qH 7zOI+p7BXjT0jWKsZu/pGDDgzzQZ6+FIemQi5BqdFAoWPGU1CDKVCfZfDB3NRJZH 7zVCuykSvwicR4x0fosK =llAr -----END PGP SIGNATURE----- --FsasSeM7PbTauVI8tmATq5juT4tLjdOBj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56977757.8020008>