Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 07 Apr 2014 19:25:59 -0700
From:      David Newman <dnewman@networktest.com>
To:        freebsd-questions@freebsd.org
Subject:   Critical OpenSSL issue (was: Re: Updating openssl on FreeBSD 9.2)
Message-ID:  <53435E37.8000903@networktest.com>
In-Reply-To: <20140407114202.ef08d1a9.freebsd@edvax.de>
References:  <1396852955.86927.YahooMailNeo@web122301.mail.ne1.yahoo.com> <20140407085234.4a39a4ab.freebsd@edvax.de> <53426449.6030006@bluerosetech.com> <20140407114202.ef08d1a9.freebsd@edvax.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On 4/7/14, 2:42 AM, Polytropon wrote:
> On Mon, 07 Apr 2014 01:39:37 -0700, Darren Pilgrim wrote:
>> On 4/6/2014 11:52 PM, Polytropon wrote:
>>> On Sun, 6 Apr 2014 23:42:35 -0700 (PDT), Jack Mc Lauren wrote:
>>>> Hi
>>>> I'm using FreeBSD 9.2 which comes with openssl 0.9.8y.
>>>> How can I update it to version 1.0.1f?

There ass a critical OpenSSL security flaw announced today for 1.0.1f
and earlier. Version 0.9.8 is not affected.

The security team hasn't yet posted an advisory but they probably will
real soon now. As I write this (8 April 2014 0223 UTC) openssl 1.0.1f is
no longer in the ports tree, and has not yet been replaced; again, I
expect the port maintainer will post 1.0.1g real soon now.

More info:

https://www.openssl.org/news/secadv_20140407.txt

There's a FAQ here:

http://heartbleed.com/

dn

>>>> Thanks in advance.
>>>
>>> Probably using the ports version should be the easiest
>>> method. Update your ports tree, Install security/openssl,
>>> and check if any other applications need to be rebuilt.
>>
>> You need to add WITH_OPENSSL_PORT=yes to /etc/make.conf to enable 
>> linking to the openssl port.
> 
> Yes, that is also needed.
> 
> 
> 
>>> If you're using a custom-built system, you can also
>>> disable the integration of SSL into the OS by defining
>>> WITHOUT_OPENSSL in /etc/src.conf and rebuilding. See
>>> "man src.conf" for details.
>>
>> Don't do this.  OpenSSL is needed by so many things in the base that 
>> it's effectively mandatory.  Just rely on WITH_OPENSSL_PORT making the 
>> ports framework select the correct library.
> 
> Still /etc/src.conf allows you to disable most of those
> parts. As I have never tried the "full set", I'm not sure
> what would break, but at least I assume that more than
> one "crypto" component could be affected, maybe even the
> system mailing service.
> 
> From "man src.conf":
> 
>      WITHOUT_CRYPT
>              Set to not build any crypto code.  When set, it also enforces the
>              following options:
> 
>              WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI)
>              WITHOUT_KERBEROS
>              WITHOUT_KERBEROS_SUPPORT
>              WITHOUT_OPENSSH
>              WITHOUT_OPENSSL
> 
> [...]
> 
>      WITHOUT_OPENSSL
>              Set to not build OpenSSL.  When set, it also enforces the follow-
>              ing options:
> 
>              WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI)
>              WITHOUT_KERBEROS
>              WITHOUT_KERBEROS_SUPPORT
>              WITHOUT_OPENSSH
> 
> Your suggestion is worth following especially in regards of SSH.
> 
> 
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53435E37.8000903>