SA-04:05 single patch && problem

Oliver Eikemeier eikemeier at
Wed Apr 14 13:45:33 PDT 2004

Dirk Meyer wrote:
> Bjoern A. Zeeb schrieb:,
>>when applying the patch from SA-04:05[1] and re-building changed parts
>>of the base system  opensslv.h does not get altered with the update
>>like it did with the commits to the various branches [2].
>> now doing a string compare on p.ex. "0.9.7a-p1" which
>>will fail.  Thus ports that set USE_OPENSSL will depend on the
>>openssl package.
> Previously the version numer alone was checked,
>>This logic is broken as the base system is patched and the openssl
>>package is not needed.
> But there is no safe way to detect this in your setup.
>>What short term solutions are there for people building ports
>>- setting USE_OPENSSL_BASE=yes seems to be a possible workaround
>>  forcing the version of the base system and not the port to be used.
> This is the setup I recommend:
> put in /etc/make.conf:
> and no autodection will take place.
>>- would it be possible to make the check in somehow
>>  more intelligent to better detect a patched version ?
> There is no safe way in this case.
> If I could not detect 0.9.7a-p1, I will assume an outdated base.

What's the point of all this autodetection anyway? It gives you a false sense
of security, since it catches only the first vulnerability (in the base), but
will happily accept any further vulnerable version installed from ports.

I asume it is appropriate to issue a warning if a vulnerable version is used
(from the base or from ports), but I do not se the benfits of the semi-automatic

How about making USE_OPENSSL_BASE=yes the default if the base has an OpenSSL
version, and rely on the user to install OpenSSL from ports (and recompile all
affected ports)?


More information about the freebsd-ports mailing list