Date: Sat, 13 Jun 2015 12:36:44 +0100 From: Matt Smith <fbsd@xtaz.co.uk> To: Michelle Sullivan <michelle@sorbs.net> Cc: Don Lewis <truckman@FreeBSD.org>, ml@netfence.it, freebsd-ports@FreeBSD.org Subject: Re: OpenSSL Security Advisory [11 Jun 2015] Message-ID: <20150613113644.GA1259@xtaz.uk> In-Reply-To: <557C1042.4050405@sorbs.net> References: <201506130551.t5D5pqiO084627@gw.catspoiler.org> <557C1042.4050405@sorbs.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 13 13:13, Michelle Sullivan wrote: >Don Lewis wrote: >> On 13 Jun, Michelle Sullivan wrote: >> >> >>> SSH would be the biggie that most security departments are scared of... >>> >> >> Well, ssh is available in ports, though I haven't checked to see that it >> picks up the correct version of openssl. >> >> > >Problem is it doesn't have 'overwrite base' anymore - and >openssh-portable66 which does have overwrite base is now marked >depreciated... which means one would have to be very careful about how >they use SSH in production as both server and client... Server is >easier as it has a different _enable identifier... but the client is not >distinguishable so unless one puts /usr/local/bin in their permanent >path as a priority over /usr/bin one will use the wrong version. > I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old and make delete-old-libs in /usr/src. This removes the base version which means you don't have this issue any longer. I do the same thing with NTP and Unbound as well. Obviously this makes more sense if like me you do source based stuff rather than using freebsd-update. I'm not sure if you can do similar with binary based upgrades? The other alternatives are as you say, put /usr/local/bin before /usr/bin in the $PATH. Or add an alias for commands like ssh to point to the ports version. These methods aren't quite as clean though. -- Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150613113644.GA1259>