From owner-freebsd-ports@FreeBSD.ORG Sat Jun 13 13:18:20 2015 Return-Path: Delivered-To: freebsd-ports@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C17D58CA for ; Sat, 13 Jun 2015 13:18:20 +0000 (UTC) (envelope-from carmel_ny@outlook.com) Received: from BLU004-OMC3S17.hotmail.com (blu004-omc3s17.hotmail.com [65.55.116.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BE5FE7E for ; Sat, 13 Jun 2015 13:18:20 +0000 (UTC) (envelope-from carmel_ny@outlook.com) Received: from BLU436-SMTP60 ([65.55.116.72]) by BLU004-OMC3S17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Sat, 13 Jun 2015 06:17:12 -0700 X-TMN: [A7xlXbalL3ApiGYVAyXUhY8VbZgEpW26] X-Originating-Email: [carmel_ny@outlook.com] Message-ID: Date: Sat, 13 Jun 2015 09:17:10 -0400 From: Carmel NY To: FreeBSD Ports Subject: Re: OpenSSL Security Advisory [11 Jun 2015] In-Reply-To: <557C2684.90302@sorbs.net> References: <201506130551.t5D5pqiO084627@gw.catspoiler.org> <557C1042.4050405@sorbs.net> <20150613113644.GA1259@xtaz.uk> <557C2684.90302@sorbs.net> Organization: seibercom NET X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; amd64-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 13 Jun 2015 13:17:11.0305 (UTC) FILETIME=[41BCAF90:01D0A5DB] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2015 13:18:20 -0000 On Sat, 13 Jun 2015 14:48:04 +0200, Michelle Sullivan stated: >Carmel NY wrote: >> On Sat, 13 Jun 2015 12:36:44 +0100, Matt Smith stated: >> >>> The other alternatives are as you say, put /usr/local/bin before >>> /usr/bin in the $PATH. Or add an alias for commands like ssh to point to >>> the ports version. These methods aren't quite as clean though. >>> >> Swapping the PATH can, in a few instances, really mess up attempting to >> build a port. I finally gave up and used the "alias" idea for openssl. It >> appears to work Okay. >> >From a security aspect... > >Do all your users alias? (assumption: its more than just you on the system) >Do you check the alias is set everytime you login to a session? >If you change to another shell for any reason is the alias persistent? >(eg as root (defaults to csh) some times I have to do: sh -c 'for a in x >y z ; do ( cd ${a} && rsync -e ssh remote.server:/path ) ; done' ) - and >do other users know that this would be wrong? > >See the point I mean? > >For the security conscious one would know to use the full path of ssh, >most do not do this... a large percentage have no idea that they would >even need to let alone remember. > >Regards, > >Michelle > >PS: There is a workaround for ssh clients in /etc/ssh/ssh_config to stop >it falling back to "insecure" protocols - though every freebsd-update >attempts to change this file back to the default... fortunately I have >puppet to reset the file in the event of me missing the update/reset. alias openssl='/usr/local/bin/openssl' I use bash as my shell. I have this set in the ~/.bashrc file: if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases else ## fi The ~/.bashrc file contains all of my predefined aliases. $ openssl version OpenSSL 1.0.2c 12 Jun 2015 # openssl version OpenSSL 1.0.2c 12 Jun 2015 $ sudo openssl version OpenSSL 1.0.1l-freebsd 15 Jan 2015 I probably should find a way to fix the "sudo" command; however, since I rarely use it, I don't know if I will bother. For all pratical purposes, I am the only system user. -- Carmel