Date: Sun, 27 Apr 2014 23:59:36 +0100 From: Jamie Landeg-Jones <jamie@dyslexicfish.net> To: freebsd-security@freebsd.org Subject: Re: ports requiring OpenSSL not honouring OpenSSL from ports Message-ID: <201404272259.s3RMxaqM095850@catnip.dyslexicfish.net> In-Reply-To: <AFCC7276-2C8F-423E-A417-AE492F5162E6@vpnc.org> References: <201404271508.s3RF8sMA014085@catnip.dyslexicfish.net> <AFCC7276-2C8F-423E-A417-AE492F5162E6@vpnc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Hoffman <paul.hoffman@vpnc.org> wrote: > Yes, that is a reasonable expectation. I certainly had it in my head when I rebuilt Sendmail+TLS after heartbleed, but I didn't think of checking it. Been there :-) Fortunately, sendmail 'does the right thing'! > It would be good to add such options to as many ports as possible if it can be done cleanly. This is more for ports@ than security@, but isn't mixing of 2 different versions potentially problematic? I have noticed one port that links against base, but uses libcurl which links against ports, so there is a version conflict there right away. I'd expect that some magic would need to be done in the bsd.ports.Mk files, as you can't necessarily tell from just scanning the port template. > Also, note that this is not bashing on OpenSSL: given their new significant funding, I would certainly expect the OpenSSL project to be finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. It is basically impossible to fix such a bug without bad actors being able to determine and exploit some of the fixes in unpatched systems. Ditto. My concern is more general, and aligned to the POLA principle! Cheers, Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404272259.s3RMxaqM095850>