From owner-freebsd-security@FreeBSD.ORG Sun Apr 27 16:15:40 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F600CEE for ; Sun, 27 Apr 2014 16:15:40 +0000 (UTC) Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F668670 for ; Sun, 27 Apr 2014 16:15:40 +0000 (UTC) Received: by mail-ie0-f178.google.com with SMTP id lx4so5448556iec.23 for ; Sun, 27 Apr 2014 09:15:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/efe323+GJ+h1zuV2w1q5tR0wGaySLdwNs9XJoP7UHU=; b=Ljsss2EQFHJY015d04Xm997D2utbG7hzzjaQtkA5Ee632wQWoSIplNpdFZl/DOJj7m F27wwcl54ZHxANrYwFpf+/1kQ7INolXGx8gBGdi18TyyG74WhlruqWPLurVW50WlJuku ymkZjOaUsczfLW3IzR2B67gS4ZrSVffwx+Lvxhqwqb80FCI1aVO59D9nemuAzAsj5ssF IMAf95JnE2IyTv+K5J1aFInvJUipKeT6FBO04QQ1Q/av7p2pRsjriLUPlnBoyjeX681C HKNiwN16vGhejw/4fdzeAfF4VznLb68lN2VI1r4wOYST447V7Lhz8awAPH29BC3qx4UV 6Gfg== MIME-Version: 1.0 X-Received: by 10.50.61.177 with SMTP id q17mr18305741igr.44.1398615339039; Sun, 27 Apr 2014 09:15:39 -0700 (PDT) Received: by 10.50.7.74 with HTTP; Sun, 27 Apr 2014 09:15:38 -0700 (PDT) In-Reply-To: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> Date: Sun, 27 Apr 2014 11:15:38 -0500 Message-ID: Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports From: Scot Hetzel To: Jamie Landeg-Jones Content-Type: text/plain; charset=ISO-8859-1 Cc: FreeBSD Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2014 16:15:40 -0000 On Sun, Apr 27, 2014 at 10:08 AM, Jamie Landeg-Jones wrote: > One of the first things I do on installing a new machine is install > OpenSSL from ports. I do build with base OpenSSL due to the many programs > that depend on it, but using ports OpenSSL for ports makes things easier > to patch/update. > > In the case of Heartbleed, for example, I was able to fix ports OpenSSL > much sooner than base. > > In the process, however, I discovered a couple of ports that built against > base even when the port was installed. I was going to supply patches / > notify the maintainers, but first did a check, and discovered that a lot > of current ports do similar. > > It turns out that this wasn't a problem specifically, but more generally, > it's possible that someone may think a port has been patched when it hasn't. > > Basically what I'm asking: Shouldn't a port that uses OpenSSL *always* > build against the port if it's installed? > The port should use the OpenSSL port if it is installed, unless the port sets one of these variables in it's Makefile: WITH_OPENSSL_BASE USE_OPENSSL_BASE The port shouldn't be setting these variables. Do you have a list of which ports used the OpenSSL from base, instead of the installed OpenSSL port? Could you check if they set these variables. > I realise this isn't always possible to test, especially if the port Makefile > doesn't have any openSSL configuration options, but I'd like to hear > others opinions on the matter. > > [ Not crossposted to ports@ as I'm unsure onbcross-posting etiqurtte, but > feel free to add them in if appropriate ] > This is more of a ports issue, than a security issue. Post the list of affected ports to ports@, and/or submit PRs to correct the them. -- DISCLAIMER: No electrons were maimed while sending this message. Only slightly bruised.