From owner-freebsd-security@freebsd.org Fri Dec 11 10:12:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 54AF14AA472 for ; Fri, 11 Dec 2020 10:12:04 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CsmmM2TWFz3LsB for ; Fri, 11 Dec 2020 10:12:02 +0000 (UTC) (envelope-from ml@netfence.it) Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.16.1/8.16.1) with ESMTPSA id 0BBABs5V023051 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Fri, 11 Dec 2020 11:11:55 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl To: freebsd-security@freebsd.org References: <20201209230300.03251CA1@freefall.freebsd.org> From: Andrea Venturoli Message-ID: <0ccfbeb4-c4e1-53e6-81e8-112318cd9bf1@netfence.it> Date: Fri, 11 Dec 2020 11:11:54 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: <20201209230300.03251CA1@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CsmmM2TWFz3LsB X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it X-Spamd-Result: default: False [-1.11 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[78.134.96.152:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[78.134.96.152:from:127.0.2.255]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; NEURAL_HAM_SHORT(-0.31)[-0.306]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; NEURAL_SPAM_LONG(1.00)[1.000]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 10:12:04 -0000 On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: > Note: The OpenSSL project has published publicly available patches for > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > project is only giving patches for that version to premium support contract > holders. The FreeBSD project does not have access to these patches and > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > may update this advisory to include FreeBSD 11.4 should patches become > publicly available. So I'm looking for suggestion on how to handle this. I guess I'll just upgrade some 11.4 to 12.2 and that'll be it. However there are a few boxes I can't or don't want to upgrade and I'm thinking about using openssl from ports. If I'm correct, I'll need to put "DEFAULT_VERSIONS= ssl=openssl" either in /etc/make.conf and/or in /usr/local/etc/poudriere.d/114amd64-make.conf. I started with the latter, but a bulk run ended up in some port failing (and a lot being skipped) due to kerberos support: AFAICT I cannot use base's kerberos with ports' openssl. Which is a better replacement: MIT or HEIMDAL? Then I think I'll just need "pkg upgrade -f", where I'm using packages. I still have some systems, however, that are using portupgrade: perhaps I can convert some to packages, but others have to stay like this for the moment. Will "portupgrade -Fa" do or do I need something more complex? bye & Thanks av.