From owner-freebsd-questions@FreeBSD.ORG Tue Apr 8 02:31:48 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 48D6A4EC for ; Tue, 8 Apr 2014 02:31:48 +0000 (UTC) Received: from mail5.networktest.com (mail5.networktest.com [204.109.60.142]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 134621515 for ; Tue, 8 Apr 2014 02:31:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail5.networktest.com (Postfix) with ESMTP id 4AFBB2FCCB5 for ; Mon, 7 Apr 2014 19:31:47 -0700 (PDT) Received: from mail5.networktest.com ([127.0.0.1]) by localhost (mail5.networktest.com [127.0.0.1]) (maiad, port 10024) with ESMTP id 77309-04 for ; Mon, 7 Apr 2014 19:31:47 -0700 (PDT) Received: from tejay.local (cpe-75-82-133-182.socal.res.rr.com [75.82.133.182]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: dnewman@networktest.com) by mail5.networktest.com (Postfix) with ESMTPSA id 01A442FCCAC for ; Mon, 7 Apr 2014 19:31:46 -0700 (PDT) Message-ID: <53435F92.4000609@networktest.com> Date: Mon, 07 Apr 2014 19:31:46 -0700 From: David Newman Organization: Network Test Inc. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Critical OpenSSL issue References: <1396852955.86927.YahooMailNeo@web122301.mail.ne1.yahoo.com> <20140407085234.4a39a4ab.freebsd@edvax.de> <53426449.6030006@bluerosetech.com> <20140407114202.ef08d1a9.freebsd@edvax.de> <53435E37.8000903@networktest.com> In-Reply-To: <53435E37.8000903@networktest.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 02:31:48 -0000 On 4/7/14, 7:25 PM, David Newman wrote: > On 4/7/14, 2:42 AM, Polytropon wrote: >> On Mon, 07 Apr 2014 01:39:37 -0700, Darren Pilgrim wrote: >>> On 4/6/2014 11:52 PM, Polytropon wrote: >>>> On Sun, 6 Apr 2014 23:42:35 -0700 (PDT), Jack Mc Lauren wrote: >>>>> Hi >>>>> I'm using FreeBSD 9.2 which comes with openssl 0.9.8y. >>>>> How can I update it to version 1.0.1f? > > There ass a critical OpenSSL security flaw announced today for 1.0.1f > and earlier. Version 0.9.8 is not affected. > > The security team hasn't yet posted an advisory but they probably will > real soon now. As I write this (8 April 2014 0223 UTC) openssl 1.0.1f is > no longer in the ports tree, and has not yet been replaced; again, I > expect the port maintainer will post 1.0.1g real soon now. 1.0.1g appeared in ports right after I sent this. If you're going to upgrade, this is the one to use. dn > > More info: > > https://www.openssl.org/news/secadv_20140407.txt > > There's a FAQ here: > > http://heartbleed.com/ > > dn > >>>>> Thanks in advance. >>>> >>>> Probably using the ports version should be the easiest >>>> method. Update your ports tree, Install security/openssl, >>>> and check if any other applications need to be rebuilt. >>> >>> You need to add WITH_OPENSSL_PORT=yes to /etc/make.conf to enable >>> linking to the openssl port. >> >> Yes, that is also needed. >> >> >> >>>> If you're using a custom-built system, you can also >>>> disable the integration of SSL into the OS by defining >>>> WITHOUT_OPENSSL in /etc/src.conf and rebuilding. See >>>> "man src.conf" for details. >>> >>> Don't do this. OpenSSL is needed by so many things in the base that >>> it's effectively mandatory. Just rely on WITH_OPENSSL_PORT making the >>> ports framework select the correct library. >> >> Still /etc/src.conf allows you to disable most of those >> parts. As I have never tried the "full set", I'm not sure >> what would break, but at least I assume that more than >> one "crypto" component could be affected, maybe even the >> system mailing service. >> >> From "man src.conf": >> >> WITHOUT_CRYPT >> Set to not build any crypto code. When set, it also enforces the >> following options: >> >> WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI) >> WITHOUT_KERBEROS >> WITHOUT_KERBEROS_SUPPORT >> WITHOUT_OPENSSH >> WITHOUT_OPENSSL >> >> [...] >> >> WITHOUT_OPENSSL >> Set to not build OpenSSL. When set, it also enforces the follow- >> ing options: >> >> WITHOUT_GSSAPI (can be overridden with WITH_GSSAPI) >> WITHOUT_KERBEROS >> WITHOUT_KERBEROS_SUPPORT >> WITHOUT_OPENSSH >> >> Your suggestion is worth following especially in regards of SSH. >> >> >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >