From owner-freebsd-questions@FreeBSD.ORG Tue Apr 8 02:26:07 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B717E49 for ; Tue, 8 Apr 2014 02:26:07 +0000 (UTC) Received: from mail5.networktest.com (mail5.networktest.com [204.109.60.142]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 04BA613D7 for ; Tue, 8 Apr 2014 02:26:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail5.networktest.com (Postfix) with ESMTP id 323E82FCCB5 for ; Mon, 7 Apr 2014 19:26:00 -0700 (PDT) Received: from mail5.networktest.com ([127.0.0.1]) by localhost (mail5.networktest.com [127.0.0.1]) (maiad, port 10024) with ESMTP id 71659-03 for ; Mon, 7 Apr 2014 19:26:00 -0700 (PDT) Received: from tejay.local (cpe-75-82-133-182.socal.res.rr.com [75.82.133.182]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: dnewman@networktest.com) by mail5.networktest.com (Postfix) with ESMTPSA id E09612FCCAC for ; Mon, 7 Apr 2014 19:25:59 -0700 (PDT) Message-ID: <53435E37.8000903@networktest.com> Date: Mon, 07 Apr 2014 19:25:59 -0700 From: David Newman Organization: Network Test Inc. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Critical OpenSSL issue (was: Re: Updating openssl on FreeBSD 9.2) References: <1396852955.86927.YahooMailNeo@web122301.mail.ne1.yahoo.com> <20140407085234.4a39a4ab.freebsd@edvax.de> <53426449.6030006@bluerosetech.com> <20140407114202.ef08d1a9.freebsd@edvax.de> In-Reply-To: <20140407114202.ef08d1a9.freebsd@edvax.de> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 02:26:07 -0000 On 4/7/14, 2:42 AM, Polytropon wrote: > On Mon, 07 Apr 2014 01:39:37 -0700, Darren Pilgrim wrote: >> On 4/6/2014 11:52 PM, Polytropon wrote: >>> On Sun, 6 Apr 2014 23:42:35 -0700 (PDT), Jack Mc Lauren wrote: >>>> Hi >>>> I'm using FreeBSD 9.2 which comes with openssl 0.9.8y. >>>> How can I update it to version 1.0.1f? There ass a critical OpenSSL security flaw announced today for 1.0.1f and earlier. Version 0.9.8 is not affected. The security team hasn't yet posted an advisory but they probably will real soon now. As I write this (8 April 2014 0223 UTC) openssl 1.0.1f is no longer in the ports tree, and has not yet been replaced; again, I expect the port maintainer will post 1.0.1g real soon now. More info: https://www.openssl.org/news/secadv_20140407.txt There's a FAQ here: http://heartbleed.com/ dn >>>> Thanks in advance. >>> >>> Probably using the ports version should be the easiest >>> method. Update your ports tree, Install security/openssl, >>> and check if any other applications need to be rebuilt. >> >> You need to add WITH_OPENSSL_PORT=yes to /etc/make.conf to enable >> linking to the openssl port. > > Yes, that is also needed. > > > >>> If you're using a custom-built system, you can also >>> disable the integration of SSL into the OS by defining >>> WITHOUT_OPENSSL in /etc/src.conf and rebuilding. See >>> "man src.conf" for details. >> >> Don't do this. OpenSSL is needed by so many things in the base that >> it's effectively mandatory. Just rely on WITH_OPENSSL_PORT making the >> ports framework select the correct library. > > Still /etc/src.conf allows you to disable most of those > parts. As I have never tried the "full set", I'm not sure > what would break, but at least I assume that more than > one "crypto" component could be affected, maybe even the > system mailing service. > > From "man src.conf": > > WITHOUT_CRYPT > Set to not build any crypto code. When set, it also enforces the > following options: > > WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI) > WITHOUT_KERBEROS > WITHOUT_KERBEROS_SUPPORT > WITHOUT_OPENSSH > WITHOUT_OPENSSL > > [...] > > WITHOUT_OPENSSL > Set to not build OpenSSL. When set, it also enforces the follow- > ing options: > > WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI) > WITHOUT_KERBEROS > WITHOUT_KERBEROS_SUPPORT > WITHOUT_OPENSSH > > Your suggestion is worth following especially in regards of SSH. > > >