SA-04:05 single patch && bsd.openssl.mk problem
eikemeier at fillmore-labs.com
Wed Apr 14 13:45:33 PDT 2004
Dirk Meyer wrote:
> Bjoern A. Zeeb schrieb:,
>>when applying the patch from SA-04:05 and re-building changed parts
>>of the base system opensslv.h does not get altered with the update
>>like it did with the commits to the various branches .
>>bsd.openssl.mk now doing a string compare on p.ex. "0.9.7a-p1" which
>>will fail. Thus ports that set USE_OPENSSL will depend on the
> Previously the version numer alone was checked,
>>This logic is broken as the base system is patched and the openssl
>>package is not needed.
> But there is no safe way to detect this in your setup.
>>What short term solutions are there for people building ports
>>- setting USE_OPENSSL_BASE=yes seems to be a possible workaround
>> forcing the version of the base system and not the port to be used.
> This is the setup I recommend:
> put in /etc/make.conf:
> and no autodection will take place.
>>- would it be possible to make the check in bsd.openssl.mk somehow
>> more intelligent to better detect a patched version ?
> There is no safe way in this case.
> If I could not detect 0.9.7a-p1, I will assume an outdated base.
What's the point of all this autodetection anyway? It gives you a false sense
of security, since it catches only the first vulnerability (in the base), but
will happily accept any further vulnerable version installed from ports.
I asume it is appropriate to issue a warning if a vulnerable version is used
(from the base or from ports), but I do not se the benfits of the semi-automatic
How about making USE_OPENSSL_BASE=yes the default if the base has an OpenSSL
version, and rely on the user to install OpenSSL from ports (and recompile all
More information about the freebsd-ports