Date: Mon, 07 Apr 2014 19:31:46 -0700 From: David Newman <dnewman@networktest.com> To: freebsd-questions@freebsd.org Subject: Re: Critical OpenSSL issue Message-ID: <53435F92.4000609@networktest.com> In-Reply-To: <53435E37.8000903@networktest.com> References: <1396852955.86927.YahooMailNeo@web122301.mail.ne1.yahoo.com> <20140407085234.4a39a4ab.freebsd@edvax.de> <53426449.6030006@bluerosetech.com> <20140407114202.ef08d1a9.freebsd@edvax.de> <53435E37.8000903@networktest.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/7/14, 7:25 PM, David Newman wrote: > On 4/7/14, 2:42 AM, Polytropon wrote: >> On Mon, 07 Apr 2014 01:39:37 -0700, Darren Pilgrim wrote: >>> On 4/6/2014 11:52 PM, Polytropon wrote: >>>> On Sun, 6 Apr 2014 23:42:35 -0700 (PDT), Jack Mc Lauren wrote: >>>>> Hi >>>>> I'm using FreeBSD 9.2 which comes with openssl 0.9.8y. >>>>> How can I update it to version 1.0.1f? > > There ass a critical OpenSSL security flaw announced today for 1.0.1f > and earlier. Version 0.9.8 is not affected. > > The security team hasn't yet posted an advisory but they probably will > real soon now. As I write this (8 April 2014 0223 UTC) openssl 1.0.1f is > no longer in the ports tree, and has not yet been replaced; again, I > expect the port maintainer will post 1.0.1g real soon now. 1.0.1g appeared in ports right after I sent this. If you're going to upgrade, this is the one to use. dn > > More info: > > https://www.openssl.org/news/secadv_20140407.txt > > There's a FAQ here: > > http://heartbleed.com/ > > dn > >>>>> Thanks in advance. >>>> >>>> Probably using the ports version should be the easiest >>>> method. Update your ports tree, Install security/openssl, >>>> and check if any other applications need to be rebuilt. >>> >>> You need to add WITH_OPENSSL_PORT=yes to /etc/make.conf to enable >>> linking to the openssl port. >> >> Yes, that is also needed. >> >> >> >>>> If you're using a custom-built system, you can also >>>> disable the integration of SSL into the OS by defining >>>> WITHOUT_OPENSSL in /etc/src.conf and rebuilding. See >>>> "man src.conf" for details. >>> >>> Don't do this. OpenSSL is needed by so many things in the base that >>> it's effectively mandatory. Just rely on WITH_OPENSSL_PORT making the >>> ports framework select the correct library. >> >> Still /etc/src.conf allows you to disable most of those >> parts. As I have never tried the "full set", I'm not sure >> what would break, but at least I assume that more than >> one "crypto" component could be affected, maybe even the >> system mailing service. >> >> From "man src.conf": >> >> WITHOUT_CRYPT >> Set to not build any crypto code. When set, it also enforces the >> following options: >> >> WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI) >> WITHOUT_KERBEROS >> WITHOUT_KERBEROS_SUPPORT >> WITHOUT_OPENSSH >> WITHOUT_OPENSSL >> >> [...] >> >> WITHOUT_OPENSSL >> Set to not build OpenSSL. When set, it also enforces the follow- >> ing options: >> >> WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI) >> WITHOUT_KERBEROS >> WITHOUT_KERBEROS_SUPPORT >> WITHOUT_OPENSSH >> >> Your suggestion is worth following especially in regards of SSH. >> >> >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53435F92.4000609>