OpenSSL 0.9.8k -> 0.9.8l
m.seaman at infracaninophile.co.uk
Sat Apr 17 17:56:48 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 17/04/2010 17:01:13, Tim Gustafson wrote:
>> This isn't an answer to your question, but you could
>> always use OpenSSL from the ports tree.
> I'm hesitant to do so because in the past I've had problem when I've
> used the ports to upgrade base OS-level stuff, like OpenSSL or Sendmail,
> then the buildworld cycle overwrites the ports library and the ports
> library overwrites the OS-level stuff and so on, which in the past has
> caused general mayhem.
This is why you *don't* want to use the overwrite base option. It has
it's uses, but for most people it's better to steer clear.
Instead, install OpenSSL 1.0.0 from ports. Make sure your
/etc/make.conf contains this:
Then rebuild any ports that link against any of the OpenSSL shlibs.
Only ported software gets linked against the ports version of OpenSSL,
so you might want to switch to the ports version of eg. sendmail.
Note that there are still security bugs in many versions up to and
including 0.9.8m, and you should probably upgrade to at least 0.9.8n:
> It seems to me that the exploits purported to exist in 0.9.8k are
> serious enough to merit an upgrade to 0.9.8l for everyone. Is there
> a reason why you wouldn't want to upgrade to 0.9.8l?
The bugs in 0.9.8k (to do with MITM code injection) were worked around
at the time by disabling session renegotiation. Most of the time this
is invisible to end users and solves the vulnerability, but some
applications might cease to work.
If your base system is patched up to date or you've at least applied this:
then it will contain a small patch to the SSL libraries with the work
around as above. The OpenSSL version number wasn't bumped, so idiot
security scans will still think you are vulnerable to the MITM attack
even though that is not the case.
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-security