Critical OpenSSL issue

David Newman dnewman at networktest.com
Tue Apr 8 02:31:48 UTC 2014


On 4/7/14, 7:25 PM, David Newman wrote:
> On 4/7/14, 2:42 AM, Polytropon wrote:
>> On Mon, 07 Apr 2014 01:39:37 -0700, Darren Pilgrim wrote:
>>> On 4/6/2014 11:52 PM, Polytropon wrote:
>>>> On Sun, 6 Apr 2014 23:42:35 -0700 (PDT), Jack Mc Lauren wrote:
>>>>> Hi
>>>>> I'm using FreeBSD 9.2 which comes with openssl 0.9.8y.
>>>>> How can I update it to version 1.0.1f?
> 
> There ass a critical OpenSSL security flaw announced today for 1.0.1f
> and earlier. Version 0.9.8 is not affected.
> 
> The security team hasn't yet posted an advisory but they probably will
> real soon now. As I write this (8 April 2014 0223 UTC) openssl 1.0.1f is
> no longer in the ports tree, and has not yet been replaced; again, I
> expect the port maintainer will post 1.0.1g real soon now.

1.0.1g appeared in ports right after I sent this.

If you're going to upgrade, this is the one to use.

dn


> 
> More info:
> 
> https://www.openssl.org/news/secadv_20140407.txt
> 
> There's a FAQ here:
> 
> http://heartbleed.com/
> 
> dn
> 
>>>>> Thanks in advance.
>>>>
>>>> Probably using the ports version should be the easiest
>>>> method. Update your ports tree, Install security/openssl,
>>>> and check if any other applications need to be rebuilt.
>>>
>>> You need to add WITH_OPENSSL_PORT=yes to /etc/make.conf to enable 
>>> linking to the openssl port.
>>
>> Yes, that is also needed.
>>
>>
>>
>>>> If you're using a custom-built system, you can also
>>>> disable the integration of SSL into the OS by defining
>>>> WITHOUT_OPENSSL in /etc/src.conf and rebuilding. See
>>>> "man src.conf" for details.
>>>
>>> Don't do this.  OpenSSL is needed by so many things in the base that 
>>> it's effectively mandatory.  Just rely on WITH_OPENSSL_PORT making the 
>>> ports framework select the correct library.
>>
>> Still /etc/src.conf allows you to disable most of those
>> parts. As I have never tried the "full set", I'm not sure
>> what would break, but at least I assume that more than
>> one "crypto" component could be affected, maybe even the
>> system mailing service.
>>
>> From "man src.conf":
>>
>>      WITHOUT_CRYPT
>>              Set to not build any crypto code.  When set, it also enforces the
>>              following options:
>>
>>              WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI)
>>              WITHOUT_KERBEROS
>>              WITHOUT_KERBEROS_SUPPORT
>>              WITHOUT_OPENSSH
>>              WITHOUT_OPENSSL
>>
>> [...]
>>
>>      WITHOUT_OPENSSL
>>              Set to not build OpenSSL.  When set, it also enforces the follow-
>>              ing options:
>>
>>              WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI)
>>              WITHOUT_KERBEROS
>>              WITHOUT_KERBEROS_SUPPORT
>>              WITHOUT_OPENSSH
>>
>> Your suggestion is worth following especially in regards of SSH.
>>
>>
>>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 


More information about the freebsd-questions mailing list