OpenSSL Security Advisory [11 Jun 2015]
Michelle Sullivan
michelle at sorbs.net
Sat Jun 13 03:02:53 UTC 2015
Don Lewis wrote:
>
> I'm still running 8.4 here (but planning on upgrading to 10.1 in the
> next couple of weeks). I use poudriere to build my own package set with
> customized options, and I mentioned a couple weeks ago on
> freebsd-security@ that I switched my packages to use the openssl port
> instead of openssl from base by adding WITH_OPENSSL_PORT=yes to
> make.conf. The only significant problem that I ran into was with
> ftp/curl, which silently continues to link to base openssl if you leave
> its GSSAPI option set to the default GSSAPI_BASE. Choosing one of the
> other options fixes that problem.
>
Actually I ran into that problem (or a similar), but with different
ports and couldn't work out how to nuke it.. so to work around just
disabled linking GSSAPI and that seemed to cure the issue.
> There were a couple of other ports that I found in the set that I build
> that didn't handle WITH_OPENSSL_PORT=yes, but they were easy to fix and
> I filed PRs with patches for them. The last time I looked, there was
> only one port that set WITH_OPENSSL_BASE=yes in its Makefile, and that
> is not a port that I use.
>
WITH_OPENSSL_PORT=yes
worked for me with all except openldap - which was one of the ports that
I needed to disable GSSAPI on.
> Of all the binaries and shared libraries installed by my set of
> packages, the only ones that still link to base openssl belong to
> ports-mgmt/pkg. Fixing that and avoiding the resulting chicken vs. egg
> problem would probably require bundling a private copy of openssl with
> pkg.
>
> There are still a number of things in base that use openssl, but in my
> case the only significant ones are ssh and fetch. In one of the replies
> in the thread that I started, someone mentioned that it could be a
> problem if a port uses libfetch because that shared library is linked to
> openssl from base, but none of the ports that I use appear to use
> libfetch.
>
SSH would be the biggie that most security departments are scared of...
--
Michelle Sullivan
http://www.mhix.org/
More information about the freebsd-ports
mailing list