OpenSSL Security Advisory [11 Jun 2015]
michelle at sorbs.net
Sat Jun 13 12:29:40 UTC 2015
Matt Smith wrote:
> On Jun 13 13:13, Michelle Sullivan wrote:
>> Don Lewis wrote:
>>> On 13 Jun, Michelle Sullivan wrote:
>>>> SSH would be the biggie that most security departments are scared
>>> Well, ssh is available in ports, though I haven't checked to see
>>> that it
>>> picks up the correct version of openssl.
>> Problem is it doesn't have 'overwrite base' anymore - and
>> openssh-portable66 which does have overwrite base is now marked
>> depreciated... which means one would have to be very careful about how
>> they use SSH in production as both server and client... Server is
>> easier as it has a different _enable identifier... but the client is not
>> distinguishable so unless one puts /usr/local/bin in their permanent
>> path as a priority over /usr/bin one will use the wrong version.
> I put WITHOUT_OPENSSH=yes in /etc/src.conf. Then run make delete-old
> and make delete-old-libs in /usr/src. This removes the base version
> which means you don't have this issue any longer. I do the same thing
> with NTP and Unbound as well.
> Obviously this makes more sense if like me you do source based stuff
> rather than using freebsd-update. I'm not sure if you can do similar
> with binary based upgrades?
57 servers around the world that I have to maintain, patch and upgrade
at the same time as devel and maintain my applications... yeah I don't
do source stuff ;-)
It would be useful to have that option in freebsd-update.
> The other alternatives are as you say, put /usr/local/bin before
> /usr/bin in the $PATH. Or add an alias for commands like ssh to point
> to the ports version. These methods aren't quite as clean though.
Not clean and very error prone... replace base was a lot cleaner and
less error prone... but then you never know the people in security might
surprise us and put out a version of base with openssl 1.0.2b in it -
this would be a real bonus for a lot of people and take us a little bit
away from debian where you can wait months/years for an update.... and
then sometimes only if you upgrade your system to include features that
you don't want.
More information about the freebsd-ports