OpenSSL Security Advisory [11 Jun 2015]
fbsd at xtaz.co.uk
Sat Jun 13 11:36:50 UTC 2015
On Jun 13 13:13, Michelle Sullivan wrote:
>Don Lewis wrote:
>> On 13 Jun, Michelle Sullivan wrote:
>>> SSH would be the biggie that most security departments are scared of...
>> Well, ssh is available in ports, though I haven't checked to see that it
>> picks up the correct version of openssl.
>Problem is it doesn't have 'overwrite base' anymore - and
>openssh-portable66 which does have overwrite base is now marked
>depreciated... which means one would have to be very careful about how
>they use SSH in production as both server and client... Server is
>easier as it has a different _enable identifier... but the client is not
>distinguishable so unless one puts /usr/local/bin in their permanent
>path as a priority over /usr/bin one will use the wrong version.
I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old and
make delete-old-libs in /usr/src. This removes the base version which
means you don't have this issue any longer. I do the same thing with NTP
and Unbound as well.
Obviously this makes more sense if like me you do source based stuff
rather than using freebsd-update. I'm not sure if you can do similar
with binary based upgrades?
The other alternatives are as you say, put /usr/local/bin before
/usr/bin in the $PATH. Or add an alias for commands like ssh to point to
the ports version. These methods aren't quite as clean though.
More information about the freebsd-ports