Date: Wed, 13 Jan 2010 12:21:16 -0500 From: "b. f." <bf1783@googlemail.com> To: dinoex@FreeBSD.org Cc: freebsd-ports@FreeBSD.org Subject: Re: security/openssl BROKEN, DEPRECATED, and EXPIRED? Message-ID: <d873d5be1001130921x1aed2423gfb059947084090a6@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--0016e6d7e06c7fe234047d0effb6 Content-Type: text/plain; charset=ISO-8859-1 I'd like to echo some of the others regarding the recent changes in security/openssl: since this port is used by a large number of people, it would be better to announce major changes in advance, and to test more carefully before committing. The reverted deprecation leaves me a bit puzzled. What were the problems that prompted the comment that the port had "unfixed vulnerabilities"? If that meant that flawed renegotiation could be enabled via run-time flags, and this was thought to be unacceptable, why not patch the port to disable it, as in the base system openssl, rather than suddenly attempting to remove the port? If it was something else, what was it, and what, if anything, is going to be done about it? Can we expect an update to 1.0.x, and the resurrection of SCTP support, after the renegotiation problem is settled? Or is a removal of the port still planned? If that is the case, what do those who want to remove the port propose as a replacement? I note that there are still a few obvious minor flaws after the most recent commits, including what looks like an unintentional inversion of the logic surrounding the SSE2 option. I'm attaching a suggested patch. Regards, b. --0016e6d7e06c7fe234047d0effb6 Content-Type: text/plain; charset=US-ASCII; name="openssl098l_diff.txt" Content-Disposition: attachment; filename="openssl098l_diff.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: file0 LS0tIG9sZC5NYWtlZmlsZQkyMDEwLTAxLTEzIDEwOjQ1OjEwLjAwMDAwMDAwMCAtMDUwMAorKysg TWFrZWZpbGUJMjAxMC0wMS0xMyAxMToyNjozMS4wMDAwMDAwMDAgLTA1MDAKQEAgLTI5LDcgKzI5 LDggQEAKIC5lcnJvciBZb3UgaGF2ZSBgVVNFX09QRU5TU0wnIHZhcmlhYmxlIGRlZmluZWQgZWl0 aGVyIGluIGVudmlyb25tZW50IG9yIGluIG1ha2UoMSkgYXJndW1lbnRzLiBQbGVhc2UgdW5kZWZp bmUgYW5kIHRyeSBhZ2Fpbi4KIC5lbmRpZgogCi1PUFRJT05TPQlJMzg2CSJVc2Ugb3B0aW16ZWQg YXNzZW1ibGVyIGZvciA4MDM4NiIgb2ZmIFwKK09QVElPTlM9CUkzODYJIlVzZSBvcHRpbWl6ZWQg YXNzZW1ibGVyIGZvciA4MDM4NiIgb2ZmIFwKKwkJT1BFTlNTTF9USFJFQURTICJCdWlsZCBhIG11 bHRpdGhyZWFkZWQgb3BlbnNzbCIgb2ZmIFwKIAkJU1NFMgkiVXNlIHJ1bnRpbWUgU1NFMiBkZXRl Y3Rpb24iIG9uIFwKIAkJWkxJQgkiQnVpbGQgd2l0aCB6bGliIGNvbXByZXNzaW9uIiBvbiBcCiAK QEAgLTg1Nyw3ICs4NTgsNyBAQAogT1BFTlNTTF9CQVNFX1NPUEFUSD0JJHtPUEVOU1NMX0JBU0Vf U09OQU1FOkh9CiBPUEVOU1NMX1NITElCVkVSPz0JNwogCi0uaWYgIWRlZmluZWQoV0lUSE9VVF9T U0UyKQorLmlmIGRlZmluZWQoV0lUSE9VVF9TU0UyKQogIyBkaXNhYmxlIHJ1bnRpbWUgU1NFMiBk ZXRlY3Rpb24KIEVYVFJBQ09ORklHVVJFKz0Jbm8tc3NlMgogLmVuZGlmCkBAIC05MDAsMTEgKzkw MSw5IEBACiAuZW5kaWYKIAogZG8tY29uZmlndXJlOgotLmlmICFkZWZpbmVkKFdJVEhfRklQUykK IAkke1JNfSAtcmYgJHtXUktTUkN9L2ZpcHMKIAkke1JNfSAtZiAke1dSS1NSQ30vaW5jbHVkZS9v cGVuc3NsL2ZpcHMuaAogCSR7Uk19IC1mICR7V1JLU1JDfS9pbmNsdWRlL29wZW5zc2wvZmlwc19y YW5kLmgKLS5lbmRpZgogLmlmIGRlZmluZWQoV0lUSF9PUEVOU1NMX1RIUkVBRFMpCiAJY2QgJHtX UktTUkN9IFwKIAkmJiAke1NFVEVOVn0gQ0M9IiR7Q0N9IiBGUkVFQlNEQ0M9IiR7Q0N9IiBDRkxB R1M9IiR7Q0ZMQUdTfSIgUEVSTD0iJHtQRVJMfSIgXApAQCAtOTE4LDEzICs5MTcsNiBAQAogCS4v Y29uZmlnIC0tcHJlZml4PSR7UFJFRklYfSAtLW9wZW5zc2xkaXI9JHtPUEVOU1NMRElSfSBcCiAJ CS1MJHtQUkVGSVh9L2xpYiAke0VYVFJBQ09ORklHVVJFfQogLmVuZGlmCi0uaWYgZGVmaW5lZChX SVRIX0ZJUFMpCi0JQCR7UkVJTlBMQUNFX0NNRH0gXAotCQktZSAnc3xeTUFORElSPS4qJCR8TUFO RElSPSQkKE1BTlBSRUZJWCkvbWFufCcgXAotCQktZSAnc3xsaWIvcGtnY29uZmlnfGxpYmRhdGEv cGtnY29uZmlnfGcnIFwKLQkJLWUgJ3N8TElCVkVSU0lPTj1bXiBdKiB8TElCVkVSU0lPTj0kKE9Q RU5TU0xfU0hMSUJWRVIpIHwnIFwKLQkJJHtXUktTUkN9L01ha2VmaWxlCi0uZWxzZQogCUAke1JF SU5QTEFDRV9DTUR9IFwKIAkJLWUgJ3N8Xk1BTkRJUj0uKiQkfE1BTkRJUj0kJChNQU5QUkVGSVgp L21hbnwnIFwKIAkJLWUgJ3N8bGliL3BrZ2NvbmZpZ3xsaWJkYXRhL3BrZ2NvbmZpZ3xnJyBcCkBA IC05NDksOCArOTQxLDcgQEAKIAkJLWUgJ3N8JCQoRklQU19STkdWUykkJChFWEVfRVhUKXx8JyBc CiAJCS1lICdzfCQkKEZJUFNfVEVTVF9TVUlURSkkJChFWEVfRVhUKXx8JyBcCiAJCSR7V1JLU1JD fS90ZXN0L01ha2VmaWxlCi0uZW5kaWYKLQlAKGNkICR7QlVJTERfV1JLU1JDfS8ke2l9ICYmICR7 U0VURU5WfSAke01BS0VfRU5WfSAke01BS0V9ICR7TUFLRV9GTEFHU30gJHtNQUtFRklMRX0gZGVw ZW5kKQorCUAoY2QgJHtCVUlMRF9XUktTUkN9ICYmICR7U0VURU5WfSAke01BS0VfRU5WfSAke01B S0V9ICR7TUFLRV9GTEFHU30gJHtNQUtFRklMRX0gZGVwZW5kKQogCiBwb3N0LWluc3RhbGw6CiAu aWYgIWRlZmluZWQoTk9TSEFSRUQpCg== --0016e6d7e06c7fe234047d0effb6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d873d5be1001130921x1aed2423gfb059947084090a6>