OpenSSL Security Advisory [11 Jun 2015]

Matt Smith fbsd at
Sat Jun 13 11:36:50 UTC 2015

On Jun 13 13:13, Michelle Sullivan wrote:
>Don Lewis wrote:
>> On 13 Jun, Michelle Sullivan wrote:
>>> SSH would be the biggie that most security departments are scared of...
>> Well, ssh is available in ports, though I haven't checked to see that it
>> picks up the correct version of openssl.
>Problem is it doesn't have 'overwrite base' anymore - and
>openssh-portable66 which does have overwrite base is now marked
>depreciated... which means one would have to be very careful about how
>they use SSH in production as both server and client...  Server is
>easier as it has a different _enable identifier... but the client is not
>distinguishable so unless one puts /usr/local/bin in their permanent
>path as a priority over /usr/bin one will use the wrong version.

I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old and 
make delete-old-libs in /usr/src. This removes the base version which 
means you don't have this issue any longer. I do the same thing with NTP 
and Unbound as well.

Obviously this makes more sense if like me you do source based stuff 
rather than using freebsd-update. I'm not sure if you can do similar 
with binary based upgrades?

The other alternatives are as you say, put /usr/local/bin before 
/usr/bin in the $PATH. Or add an alias for commands like ssh to point to 
the ports version. These methods aren't quite as clean though.


More information about the freebsd-ports mailing list