From owner-freebsd-ports@FreeBSD.ORG Sat Jun 13 12:29:40 2015 Return-Path: Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 461FBD54; Sat, 13 Jun 2015 12:29:40 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [67.231.146.201]) by mx1.freebsd.org (Postfix) with ESMTP id 33DBF14C; Sat, 13 Jun 2015 12:29:39 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from isux.com (firewall.isux.com [213.165.190.213]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0NPV009CNUYUMX00@hades.sorbs.net>; Sat, 13 Jun 2015 05:35:20 -0700 (PDT) Message-id: <557C2230.4070502@sorbs.net> Date: Sat, 13 Jun 2015 14:29:36 +0200 From: Michelle Sullivan User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.24) Gecko/20100301 SeaMonkey/1.1.19 To: Matt Smith , Don Lewis , ml@netfence.it, freebsd-ports@FreeBSD.org Subject: Re: OpenSSL Security Advisory [11 Jun 2015] References: <201506130551.t5D5pqiO084627@gw.catspoiler.org> <557C1042.4050405@sorbs.net> <20150613113644.GA1259@xtaz.uk> In-reply-to: <20150613113644.GA1259@xtaz.uk> X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 12:29:40 -0000 Matt Smith wrote: > On Jun 13 13:13, Michelle Sullivan wrote: >> Don Lewis wrote: >>> On 13 Jun, Michelle Sullivan wrote: >>> >>> >>>> SSH would be the biggie that most security departments are scared >>>> of... >>>> >>> >>> Well, ssh is available in ports, though I haven't checked to see >>> that it >>> picks up the correct version of openssl. >>> >>> >> >> Problem is it doesn't have 'overwrite base' anymore - and >> openssh-portable66 which does have overwrite base is now marked >> depreciated... which means one would have to be very careful about how >> they use SSH in production as both server and client... Server is >> easier as it has a different _enable identifier... but the client is not >> distinguishable so unless one puts /usr/local/bin in their permanent >> path as a priority over /usr/bin one will use the wrong version. >> > > I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old > and make delete-old-libs in /usr/src. This removes the base version > which means you don't have this issue any longer. I do the same thing > with NTP and Unbound as well. > > Obviously this makes more sense if like me you do source based stuff > rather than using freebsd-update. I'm not sure if you can do similar > with binary based upgrades? > 57 servers around the world that I have to maintain, patch and upgrade at the same time as devel and maintain my applications... yeah I don't do source stuff ;-) It would be useful to have that option in freebsd-update. > The other alternatives are as you say, put /usr/local/bin before > /usr/bin in the $PATH. Or add an alias for commands like ssh to point > to the ports version. These methods aren't quite as clean though. > Not clean and very error prone... replace base was a lot cleaner and less error prone... but then you never know the people in security might surprise us and put out a version of base with openssl 1.0.2b in it - this would be a real bonus for a lot of people and take us a little bit away from debian where you can wait months/years for an update.... and then sometimes only if you upgrade your system to include features that you don't want. -- Michelle Sullivan http://www.mhix.org/