OpenSSL Security Advisory [11 Jun 2015]

Don Lewis truckman at FreeBSD.org
Sat Jun 13 05:52:03 UTC 2015 

On 13 Jun, Michelle Sullivan wrote:
> Don Lewis wrote:
>>
>> I'm still running 8.4 here (but planning on upgrading to 10.1 in the
>> next couple of weeks).  I use poudriere to build my own package set with
>> customized options, and I mentioned a couple weeks ago on
>> freebsd-security@ that I switched my packages to use the openssl port
>> instead of openssl from base by adding WITH_OPENSSL_PORT=yes to
>> make.conf.  The only significant problem that I ran into was with
>> ftp/curl, which silently continues to link to base openssl if you leave
>> its GSSAPI option set to the default GSSAPI_BASE.  Choosing one of the
>> other options fixes that problem.
>>   
> 
> Actually I ran into that problem (or a similar), but with different
> ports and couldn't work out how to nuke it.. so to work around just
> disabled linking GSSAPI and that seemed to cure the issue.

After looking at the problem for a bit, the first thing I tried was
GSSAPI_NONE, since that is a feature that I did not need.  I
subsequently verified the other non-default GSSAPI settings also worked
and filed a PR with a patch to fix curl's sanity check to catch the
conflicting settings.

>> There were a couple of other ports that I found in the set that I build
>> that didn't handle WITH_OPENSSL_PORT=yes, but they were easy to fix and
>> I filed PRs with patches for them.  The last time I looked, there was
>> only one port that set WITH_OPENSSL_BASE=yes in its Makefile, and that
>> is not a port that I use.
>>   
> 
> WITH_OPENSSL_PORT=yes
> 
> worked for me with all except openldap - which was one of the ports that
> I needed to disable GSSAPI on.

Makes sense.  I didn't stumble across that one since I don't use ldap here.
 
>> Of all the binaries and shared libraries installed by my set of
>> packages, the only ones that still link to base openssl belong to
>> ports-mgmt/pkg.  Fixing that and avoiding the resulting chicken vs. egg
>> problem would probably require bundling a private copy of openssl with
>> pkg.
>>
>> There are still a number of things in base that use openssl, but in my
>> case the only significant ones are ssh and fetch.  In one of the replies
>> in the thread that I started, someone mentioned that it could be a
>> problem if a port uses libfetch because that shared library is linked to
>> openssl from base, but none of the ports that I use appear to use
>> libfetch.
>>   
> 
> SSH would be the biggie that most security departments are scared of...

Well, ssh is available in ports, though I haven't checked to see that it
picks up the correct version of openssl.

More information about the freebsd-ports mailing list