Date: Sat, 13 Jun 2015 14:29:36 +0200 From: Michelle Sullivan <michelle@sorbs.net> To: Matt Smith <fbsd@xtaz.co.uk>, Don Lewis <truckman@FreeBSD.org>, ml@netfence.it, freebsd-ports@FreeBSD.org Subject: Re: OpenSSL Security Advisory [11 Jun 2015] Message-ID: <557C2230.4070502@sorbs.net> In-Reply-To: <20150613113644.GA1259@xtaz.uk> References: <201506130551.t5D5pqiO084627@gw.catspoiler.org> <557C1042.4050405@sorbs.net> <20150613113644.GA1259@xtaz.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Smith wrote: > On Jun 13 13:13, Michelle Sullivan wrote: >> Don Lewis wrote: >>> On 13 Jun, Michelle Sullivan wrote: >>> >>> >>>> SSH would be the biggie that most security departments are scared >>>> of... >>>> >>> >>> Well, ssh is available in ports, though I haven't checked to see >>> that it >>> picks up the correct version of openssl. >>> >>> >> >> Problem is it doesn't have 'overwrite base' anymore - and >> openssh-portable66 which does have overwrite base is now marked >> depreciated... which means one would have to be very careful about how >> they use SSH in production as both server and client... Server is >> easier as it has a different _enable identifier... but the client is not >> distinguishable so unless one puts /usr/local/bin in their permanent >> path as a priority over /usr/bin one will use the wrong version. >> > > I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old > and make delete-old-libs in /usr/src. This removes the base version > which means you don't have this issue any longer. I do the same thing > with NTP and Unbound as well. > > Obviously this makes more sense if like me you do source based stuff > rather than using freebsd-update. I'm not sure if you can do similar > with binary based upgrades? > 57 servers around the world that I have to maintain, patch and upgrade at the same time as devel and maintain my applications... yeah I don't do source stuff ;-) It would be useful to have that option in freebsd-update. > The other alternatives are as you say, put /usr/local/bin before > /usr/bin in the $PATH. Or add an alias for commands like ssh to point > to the ports version. These methods aren't quite as clean though. > Not clean and very error prone... replace base was a lot cleaner and less error prone... but then you never know the people in security might surprise us and put out a version of base with openssl 1.0.2b in it - this would be a real bonus for a lot of people and take us a little bit away from debian where you can wait months/years for an update.... and then sometimes only if you upgrade your system to include features that you don't want. -- Michelle Sullivan http://www.mhix.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557C2230.4070502>