From owner-freebsd-security Wed Jul 31 14:29:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3873737B401 for ; Wed, 31 Jul 2002 14:29:24 -0700 (PDT) Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FB3743E67 for ; Wed, 31 Jul 2002 14:29:23 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: from probsd.ws (probsd.ws [192.168.1.4]) by probsd.ws (Postfix) with SMTP id B868314BC8; Wed, 31 Jul 2002 17:32:09 -0400 (EDT) Message-ID: <2319.192.168.1.4.1028151129.squirrel@webmail.probsd.ws> Date: Wed, 31 Jul 2002 17:32:09 -0400 (EDT) Subject: Re: About the openssl hole From: "Michael Sharp" To: In-Reply-To: <3D47402F.83B37CBA@pantherdragon.org> References: <004001c237cf$23c00560$fa00a8c0@elixor> <170112657687.20020730181657@buz.ch> <000d01c237e5$ceede1d0$fa00a8c0@elixor> <5113861671.20020730183701@buz.ch> <002301c237ea$04b4d4f0$fa00a8c0@elixor> <2115515250.20020730190434@buz.ch> <3D470873.5C42BF65@pantherdragon.org> <3D47402F.83B37CBA@pantherdragon.org> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Regarding using a port to fix a core issue. I so toatally disagree. Each port/package that is installed on a FreeBSD box degrades the security profile in small increments. My thoughts, use core as much as you can, and use ports sparingly. I had 4 services exposed to the net that relied on the bad OpenSSL. I chose to wait out the core team to fix things. Yes, my website might have been down for 8 hrs, mail as well.. etc... but so what? However, I'm not a 1000 hit a day business either so I guess one could argue the wait for core/install a port issue there. But I have found that core typically goes right to work on a issue, and a fix is out within hrs. Just my 2 cents michael > Gabriel Ambuehl wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hello Geir, >> >> Tuesday, July 30, 2002, 6:56:12 PM, you wrote: >> >> > I talked with an freind of mine who tried this solution, and he told >> me that it where only one patch that failed. >> > If you remove the patch "patch-ah" the build will go fine. >> >> > But as many know, the port of openssl will not completly replace the >> core openssl. >> > (You could see this if you build mod_ssl) >> >> Well I could live without mod_ssl for the next hours, but I can't just >> go shutdown ssh on all boxes cause that would mean I'd have to go >> onsite to some 4 NOCs (two of them on the other side of the world) to >> have SSH get backup. Hmm. Maybe I'll just shut all SSL stuff down and >> have the NOC monkeys reboot them when the patch is here.... >> >> What's happening (I suppose) is that the port gets installed to >> /usr/local/lib whereas the the old version still is in /usr/lib where > > Use -DOPENSSL_OVERWRITE_BASE. I recommend people install the OpenSSL > port anyway, it gives you all those nifty extra programs that the > maintainer(s) for the in-base openssl has seen fit not to include. > >> it belongs to as part of the base system which means that you probably >> have to overwrite the old lib by hand but I wouldn't want to guarantee >> that nothing is going to break if you do this. > > I can say from personal experience that installing the openssl port with > -DOPENSSL_OVERWRITE_BASE doesn't break anything I've found or use > (openssh, mod_ssl, courier_imap, and postfix). > >> To make it short: it's >> probably best to just wait and update your boxes ASAP > > Why take down the whole machine, when you can use a port to just patch > the broke part? That's what was so great about the OpenSSH port, it let > a lot of people who couldn't make world or reinstall upgrade their > copies of OpenSSH. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message