看板 FB_security 關於我們 聯絡資訊
發信人swhetzel@gmail.com (Scot Hetzel),
看板FB_security
標 題Re: ports requiring OpenSSL not honouring OpenSSL from ports
發信站NCTU CS FreeBSD Server (Sun Apr 27 19:15:38 2014)
轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow
On Sun, Apr 27, 2014 at 10:08 AM, Jamie Landeg-Jones <jamie@dyslexicfish.net> wrote: > One of the first things I do on installing a new machine is install > OpenSSL from ports. I do build with base OpenSSL due to the many programs > that depend on it, but using ports OpenSSL for ports makes things easier > to patch/update. > > In the case of Heartbleed, for example, I was able to fix ports OpenSSL > much sooner than base. > > In the process, however, I discovered a couple of ports that built against > base even when the port was installed. I was going to supply patches / > notify the maintainers, but first did a check, and discovered that a lot > of current ports do similar. > > It turns out that this wasn't a problem specifically, but more generally, > it's possible that someone may think a port has been patched when it hasn't. > > Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* > build against the port if it's installed? > The port should use the OpenSSL port if it is installed, unless the port sets one of these variables in it's Makefile: WITH_OPENSSL_BASE USE_OPENSSL_BASE The port shouldn't be setting these variables. Do you have a list of which ports used the OpenSSL from base, instead of the installed OpenSSL port? Could you check if they set these variables. > I realise this isn't always possible to test, especially if the port Makefile > doesn't have any openSSL configuration options, but I'd like to hear > others opinions on the matter. > > [ Not crossposted to ports@ as I'm unsure onbcross-posting etiqurtte, but > feel free to add them in if appropriate ] > This is more of a ports issue, than a security issue. Post the list of affected ports to ports@, and/or submit PRs to correct the them. -- DISCLAIMER: No electrons were maimed while sending this message. Only slightly bruised. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"