Date: Sat, 13 Jun 2015 05:02:43 +0200 From: Michelle Sullivan <michelle@sorbs.net> To: Don Lewis <truckman@FreeBSD.org> Cc: ml@netfence.it, freebsd-ports@FreeBSD.org Subject: Re: OpenSSL Security Advisory [11 Jun 2015] Message-ID: <557B9D53.2010805@sorbs.net> In-Reply-To: <201506130225.t5D2P7cd078028@gw.catspoiler.org> References: <201506130225.t5D2P7cd078028@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Don Lewis wrote: > > I'm still running 8.4 here (but planning on upgrading to 10.1 in the > next couple of weeks). I use poudriere to build my own package set with > customized options, and I mentioned a couple weeks ago on > freebsd-security@ that I switched my packages to use the openssl port > instead of openssl from base by adding WITH_OPENSSL_PORT=yes to > make.conf. The only significant problem that I ran into was with > ftp/curl, which silently continues to link to base openssl if you leave > its GSSAPI option set to the default GSSAPI_BASE. Choosing one of the > other options fixes that problem. > Actually I ran into that problem (or a similar), but with different ports and couldn't work out how to nuke it.. so to work around just disabled linking GSSAPI and that seemed to cure the issue. > There were a couple of other ports that I found in the set that I build > that didn't handle WITH_OPENSSL_PORT=yes, but they were easy to fix and > I filed PRs with patches for them. The last time I looked, there was > only one port that set WITH_OPENSSL_BASE=yes in its Makefile, and that > is not a port that I use. > WITH_OPENSSL_PORT=yes worked for me with all except openldap - which was one of the ports that I needed to disable GSSAPI on. > Of all the binaries and shared libraries installed by my set of > packages, the only ones that still link to base openssl belong to > ports-mgmt/pkg. Fixing that and avoiding the resulting chicken vs. egg > problem would probably require bundling a private copy of openssl with > pkg. > > There are still a number of things in base that use openssl, but in my > case the only significant ones are ssh and fetch. In one of the replies > in the thread that I started, someone mentioned that it could be a > problem if a port uses libfetch because that shared library is linked to > openssl from base, but none of the ports that I use appear to use > libfetch. > SSH would be the biggie that most security departments are scared of... -- Michelle Sullivan http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557B9D53.2010805>