Date: Wed, 14 Apr 2004 22:45:05 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: Dirk Meyer <dirk.meyer@dinoex.sub.org> Cc: freebsd-ports@freebsd.org Subject: Re: SA-04:05 single patch && bsd.openssl.mk problem Message-ID: <407DA2D1.6070408@fillmore-labs.com> In-Reply-To: <rNa21a3uh2@dmeyer.dinoex.sub.org> References: <Pine.BSF.4.53.0404141708380.9278@e0-0.zab2.int.zabbadoz.net> <rNa21a3uh2@dmeyer.dinoex.sub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dirk Meyer wrote: > Bjoern A. Zeeb schrieb:, > >>when applying the patch from SA-04:05[1] and re-building changed parts >>of the base system opensslv.h does not get altered with the update >>like it did with the commits to the various branches [2]. > >>bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which >>will fail. Thus ports that set USE_OPENSSL will depend on the >>openssl package. > > Previously the version numer alone was checked, > >>This logic is broken as the base system is patched and the openssl >>package is not needed. > > But there is no safe way to detect this in your setup. > >>What short term solutions are there for people building ports >> >>- setting USE_OPENSSL_BASE=yes seems to be a possible workaround >> forcing the version of the base system and not the port to be used. > > This is the setup I recommend: > put in /etc/make.conf: > WITH_OPENSSL_BASE=yes > > and no autodection will take place. > >>- would it be possible to make the check in bsd.openssl.mk somehow >> more intelligent to better detect a patched version ? > > There is no safe way in this case. > If I could not detect 0.9.7a-p1, I will assume an outdated base. What's the point of all this autodetection anyway? It gives you a false sense of security, since it catches only the first vulnerability (in the base), but will happily accept any further vulnerable version installed from ports. I asume it is appropriate to issue a warning if a vulnerable version is used (from the base or from ports), but I do not se the benfits of the semi-automatic dependency. How about making USE_OPENSSL_BASE=yes the default if the base has an OpenSSL version, and rely on the user to install OpenSSL from ports (and recompile all affected ports)? -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?407DA2D1.6070408>