OpenSSL Security Advisory [11 Jun 2015]

Michelle Sullivan michelle at sorbs.net
Sat Jun 13 12:29:40 UTC 2015 

Matt Smith wrote:
> On Jun 13 13:13, Michelle Sullivan wrote:
>> Don Lewis wrote:
>>> On 13 Jun, Michelle Sullivan wrote:
>>>
>>>
>>>> SSH would be the biggie that most security departments are scared
>>>> of...
>>>>
>>>
>>> Well, ssh is available in ports, though I haven't checked to see
>>> that it
>>> picks up the correct version of openssl.
>>>
>>>
>>
>> Problem is it doesn't have 'overwrite base' anymore - and
>> openssh-portable66 which does have overwrite base is now marked
>> depreciated... which means one would have to be very careful about how
>> they use SSH in production as both server and client...  Server is
>> easier as it has a different _enable identifier... but the client is not
>> distinguishable so unless one puts /usr/local/bin in their permanent
>> path as a priority over /usr/bin one will use the wrong version.
>>
>
> I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old
> and make delete-old-libs in /usr/src. This removes the base version
> which means you don't have this issue any longer. I do the same thing
> with NTP and Unbound as well.
>
> Obviously this makes more sense if like me you do source based stuff
> rather than using freebsd-update. I'm not sure if you can do similar
> with binary based upgrades?
>

57 servers around the world that I have to maintain, patch and upgrade
at the same time as devel and maintain my applications... yeah I don't
do source stuff ;-)

It would be useful to have that option in freebsd-update.

> The other alternatives are as you say, put /usr/local/bin before
> /usr/bin in the $PATH. Or add an alias for commands like ssh to point
> to the ports version. These methods aren't quite as clean though.
>
Not clean and very error prone... replace base was a lot cleaner and
less error prone... but then you never know the people in security might
surprise us and put out a version of base with openssl 1.0.2b in it -
this would be a real bonus for a lot of people and take us a little bit
away from debian where you can wait months/years for an update.... and
then sometimes only if you upgrade your system to include features that
you don't want.

-- 
Michelle Sullivan
http://www.mhix.org/

More information about the freebsd-ports mailing list