From owner-freebsd-security Wed Jul 31 13:34: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE07037B400 for ; Wed, 31 Jul 2002 13:34:03 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BF3B43E5E for ; Wed, 31 Jul 2002 13:34:03 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-252-210.evrtwa1.dsl-verizon.net [4.61.252.210]) by spork.pantherdragon.org (Postfix) with ESMTP id 5123F471DC; Wed, 31 Jul 2002 13:34:02 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.pantherdragon.org (Postfix) with ESMTP id 81C2E10024; Tue, 30 Jul 2002 18:41:03 -0700 (PDT) Message-ID: <3D47402F.83B37CBA@pantherdragon.org> Date: Tue, 30 Jul 2002 18:41:03 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: gabriel_ambuehl@buz.ch Cc: Geir =?iso-8859-1?Q?R=E5ness?= , freebsd-security@freebsd.org Subject: Re: About the openssl hole References: <004001c237cf$23c00560$fa00a8c0@elixor> <170112657687.20020730181657@buz.ch> <000d01c237e5$ceede1d0$fa00a8c0@elixor> <5113861671.20020730183701@buz.ch> <002301c237ea$04b4d4f0$fa00a8c0@elixor> <2115515250.20020730190434@buz.ch> <3D470873.5C42BF65@pantherdragon.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Gabriel Ambuehl wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hello Geir, > > Tuesday, July 30, 2002, 6:56:12 PM, you wrote: > > > I talked with an freind of mine who tried this solution, and he told > me that it where only one patch that failed. > > If you remove the patch "patch-ah" the build will go fine. > > > But as many know, the port of openssl will not completly replace the > core openssl. > > (You could see this if you build mod_ssl) > > Well I could live without mod_ssl for the next hours, but I can't just > go shutdown ssh on all boxes cause that would mean I'd have to go > onsite to some 4 NOCs (two of them on the other side of the world) to > have SSH get backup. Hmm. Maybe I'll just shut all SSL stuff down and > have the NOC monkeys reboot them when the patch is here.... > > What's happening (I suppose) is that the port gets installed to > /usr/local/lib whereas the the old version still is in /usr/lib where Use -DOPENSSL_OVERWRITE_BASE. I recommend people install the OpenSSL port anyway, it gives you all those nifty extra programs that the maintainer(s) for the in-base openssl has seen fit not to include. > it belongs to as part of the base system which means that you probably > have to overwrite the old lib by hand but I wouldn't want to guarantee > that nothing is going to break if you do this. I can say from personal experience that installing the openssl port with -DOPENSSL_OVERWRITE_BASE doesn't break anything I've found or use (openssh, mod_ssl, courier_imap, and postfix). > To make it short: it's > probably best to just wait and update your boxes ASAP Why take down the whole machine, when you can use a port to just patch the broke part? That's what was so great about the OpenSSH port, it let a lot of people who couldn't make world or reinstall upgrade their copies of OpenSSH. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message