SA-04:05 single patch && bsd.openssl.mk problem
Oliver Eikemeier
eikemeier at fillmore-labs.com
Wed Apr 14 13:45:33 PDT 2004
Dirk Meyer wrote:
> Bjoern A. Zeeb schrieb:,
>
>>when applying the patch from SA-04:05[1] and re-building changed parts
>>of the base system opensslv.h does not get altered with the update
>>like it did with the commits to the various branches [2].
>
>>bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which
>>will fail. Thus ports that set USE_OPENSSL will depend on the
>>openssl package.
>
> Previously the version numer alone was checked,
>
>>This logic is broken as the base system is patched and the openssl
>>package is not needed.
>
> But there is no safe way to detect this in your setup.
>
>>What short term solutions are there for people building ports
>>
>>- setting USE_OPENSSL_BASE=yes seems to be a possible workaround
>> forcing the version of the base system and not the port to be used.
>
> This is the setup I recommend:
> put in /etc/make.conf:
> WITH_OPENSSL_BASE=yes
>
> and no autodection will take place.
>
>>- would it be possible to make the check in bsd.openssl.mk somehow
>> more intelligent to better detect a patched version ?
>
> There is no safe way in this case.
> If I could not detect 0.9.7a-p1, I will assume an outdated base.
What's the point of all this autodetection anyway? It gives you a false sense
of security, since it catches only the first vulnerability (in the base), but
will happily accept any further vulnerable version installed from ports.
I asume it is appropriate to issue a warning if a vulnerable version is used
(from the base or from ports), but I do not se the benfits of the semi-automatic
dependency.
How about making USE_OPENSSL_BASE=yes the default if the base has an OpenSSL
version, and rely on the user to install OpenSSL from ports (and recompile all
affected ports)?
-Oliver
More information about the freebsd-ports
mailing list