From owner-freebsd-ports@FreeBSD.ORG Sat Jun 13 11:36:50 2015 Return-Path: Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 85551393; Sat, 13 Jun 2015 11:36:50 +0000 (UTC) (envelope-from fbsd@xtaz.co.uk) Received: from mail.xtaz.uk (tao.xtaz.uk [IPv6:2001:8b0:202::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4A86D628; Sat, 13 Jun 2015 11:36:49 +0000 (UTC) (envelope-from fbsd@xtaz.co.uk) Received: by mail.xtaz.uk (Postfix, from userid 1001) id C96D020AEA49; Sat, 13 Jun 2015 12:36:44 +0100 (BST) Date: Sat, 13 Jun 2015 12:36:44 +0100 From: Matt Smith To: Michelle Sullivan Cc: Don Lewis , ml@netfence.it, freebsd-ports@FreeBSD.org Subject: Re: OpenSSL Security Advisory [11 Jun 2015] Message-ID: <20150613113644.GA1259@xtaz.uk> Mail-Followup-To: Matt Smith , Michelle Sullivan , Don Lewis , ml@netfence.it, freebsd-ports@FreeBSD.org References: <201506130551.t5D5pqiO084627@gw.catspoiler.org> <557C1042.4050405@sorbs.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <557C1042.4050405@sorbs.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 11:36:50 -0000 On Jun 13 13:13, Michelle Sullivan wrote: >Don Lewis wrote: >> On 13 Jun, Michelle Sullivan wrote: >> >> >>> SSH would be the biggie that most security departments are scared of... >>> >> >> Well, ssh is available in ports, though I haven't checked to see that it >> picks up the correct version of openssl. >> >> > >Problem is it doesn't have 'overwrite base' anymore - and >openssh-portable66 which does have overwrite base is now marked >depreciated... which means one would have to be very careful about how >they use SSH in production as both server and client... Server is >easier as it has a different _enable identifier... but the client is not >distinguishable so unless one puts /usr/local/bin in their permanent >path as a priority over /usr/bin one will use the wrong version. > I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old and make delete-old-libs in /usr/src. This removes the base version which means you don't have this issue any longer. I do the same thing with NTP and Unbound as well. Obviously this makes more sense if like me you do source based stuff rather than using freebsd-update. I'm not sure if you can do similar with binary based upgrades? The other alternatives are as you say, put /usr/local/bin before /usr/bin in the $PATH. Or add an alias for commands like ssh to point to the ports version. These methods aren't quite as clean though. -- Matt