From owner-freebsd-ports@FreeBSD.ORG Sat Jun 13 03:02:53 2015 Return-Path: Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0CB7AF3C; Sat, 13 Jun 2015 03:02:53 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [67.231.146.201]) by mx1.freebsd.org (Postfix) with ESMTP id EF6C331B; Sat, 13 Jun 2015 03:02:52 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0NPV0097T4Q1MX00@hades.sorbs.net>; Fri, 12 Jun 2015 20:08:27 -0700 (PDT) Message-id: <557B9D53.2010805@sorbs.net> Date: Sat, 13 Jun 2015 05:02:43 +0200 From: Michelle Sullivan User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.24) Gecko/20100301 SeaMonkey/1.1.19 To: Don Lewis Cc: ml@netfence.it, freebsd-ports@FreeBSD.org Subject: Re: OpenSSL Security Advisory [11 Jun 2015] References: <201506130225.t5D2P7cd078028@gw.catspoiler.org> In-reply-to: <201506130225.t5D2P7cd078028@gw.catspoiler.org> X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 03:02:53 -0000 Don Lewis wrote: > > I'm still running 8.4 here (but planning on upgrading to 10.1 in the > next couple of weeks). I use poudriere to build my own package set with > customized options, and I mentioned a couple weeks ago on > freebsd-security@ that I switched my packages to use the openssl port > instead of openssl from base by adding WITH_OPENSSL_PORT=yes to > make.conf. The only significant problem that I ran into was with > ftp/curl, which silently continues to link to base openssl if you leave > its GSSAPI option set to the default GSSAPI_BASE. Choosing one of the > other options fixes that problem. > Actually I ran into that problem (or a similar), but with different ports and couldn't work out how to nuke it.. so to work around just disabled linking GSSAPI and that seemed to cure the issue. > There were a couple of other ports that I found in the set that I build > that didn't handle WITH_OPENSSL_PORT=yes, but they were easy to fix and > I filed PRs with patches for them. The last time I looked, there was > only one port that set WITH_OPENSSL_BASE=yes in its Makefile, and that > is not a port that I use. > WITH_OPENSSL_PORT=yes worked for me with all except openldap - which was one of the ports that I needed to disable GSSAPI on. > Of all the binaries and shared libraries installed by my set of > packages, the only ones that still link to base openssl belong to > ports-mgmt/pkg. Fixing that and avoiding the resulting chicken vs. egg > problem would probably require bundling a private copy of openssl with > pkg. > > There are still a number of things in base that use openssl, but in my > case the only significant ones are ssh and fetch. In one of the replies > in the thread that I started, someone mentioned that it could be a > problem if a port uses libfetch because that shared library is linked to > openssl from base, but none of the ports that I use appear to use > libfetch. > SSH would be the biggie that most security departments are scared of... -- Michelle Sullivan http://www.mhix.org/