Date: Wed, 13 Jan 2010 12:21:16 -0500 From: "b. f." <bf1783@googlemail.com> To: dinoex@FreeBSD.org Cc: freebsd-ports@FreeBSD.org Subject: Re: security/openssl BROKEN, DEPRECATED, and EXPIRED? Message-ID: <d873d5be1001130921x1aed2423gfb059947084090a6@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--0016e6d7e06c7fe234047d0effb6
Content-Type: text/plain; charset=ISO-8859-1
I'd like to echo some of the others regarding the recent changes in
security/openssl: since this port is used by a large number of
people, it would be better to announce major changes in advance, and
to test more carefully before committing.
The reverted deprecation leaves me a bit puzzled. What were the
problems that prompted the comment that the port had "unfixed
vulnerabilities"? If that meant that flawed renegotiation could be
enabled via run-time flags, and this was thought to be unacceptable,
why not patch the port to disable it, as in the base system openssl,
rather than suddenly attempting to remove the port? If it was
something else, what was it, and what, if anything, is going to be
done about it? Can we expect an update to 1.0.x, and the resurrection
of SCTP support, after the renegotiation problem is settled? Or is a
removal of the port still planned? If that is the case, what do those
who want to remove the port propose as a replacement?
I note that there are still a few obvious minor flaws after the most
recent commits, including what looks like an unintentional inversion
of the logic surrounding the SSE2 option. I'm attaching a suggested
patch.
Regards,
b.
--0016e6d7e06c7fe234047d0effb6
Content-Type: text/plain; charset=US-ASCII; name="openssl098l_diff.txt"
Content-Disposition: attachment; filename="openssl098l_diff.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: file0
LS0tIG9sZC5NYWtlZmlsZQkyMDEwLTAxLTEzIDEwOjQ1OjEwLjAwMDAwMDAwMCAtMDUwMAorKysg
TWFrZWZpbGUJMjAxMC0wMS0xMyAxMToyNjozMS4wMDAwMDAwMDAgLTA1MDAKQEAgLTI5LDcgKzI5
LDggQEAKIC5lcnJvciBZb3UgaGF2ZSBgVVNFX09QRU5TU0wnIHZhcmlhYmxlIGRlZmluZWQgZWl0
aGVyIGluIGVudmlyb25tZW50IG9yIGluIG1ha2UoMSkgYXJndW1lbnRzLiBQbGVhc2UgdW5kZWZp
bmUgYW5kIHRyeSBhZ2Fpbi4KIC5lbmRpZgogCi1PUFRJT05TPQlJMzg2CSJVc2Ugb3B0aW16ZWQg
YXNzZW1ibGVyIGZvciA4MDM4NiIgb2ZmIFwKK09QVElPTlM9CUkzODYJIlVzZSBvcHRpbWl6ZWQg
YXNzZW1ibGVyIGZvciA4MDM4NiIgb2ZmIFwKKwkJT1BFTlNTTF9USFJFQURTICJCdWlsZCBhIG11
bHRpdGhyZWFkZWQgb3BlbnNzbCIgb2ZmIFwKIAkJU1NFMgkiVXNlIHJ1bnRpbWUgU1NFMiBkZXRl
Y3Rpb24iIG9uIFwKIAkJWkxJQgkiQnVpbGQgd2l0aCB6bGliIGNvbXByZXNzaW9uIiBvbiBcCiAK
QEAgLTg1Nyw3ICs4NTgsNyBAQAogT1BFTlNTTF9CQVNFX1NPUEFUSD0JJHtPUEVOU1NMX0JBU0Vf
U09OQU1FOkh9CiBPUEVOU1NMX1NITElCVkVSPz0JNwogCi0uaWYgIWRlZmluZWQoV0lUSE9VVF9T
U0UyKQorLmlmIGRlZmluZWQoV0lUSE9VVF9TU0UyKQogIyBkaXNhYmxlIHJ1bnRpbWUgU1NFMiBk
ZXRlY3Rpb24KIEVYVFJBQ09ORklHVVJFKz0Jbm8tc3NlMgogLmVuZGlmCkBAIC05MDAsMTEgKzkw
MSw5IEBACiAuZW5kaWYKIAogZG8tY29uZmlndXJlOgotLmlmICFkZWZpbmVkKFdJVEhfRklQUykK
IAkke1JNfSAtcmYgJHtXUktTUkN9L2ZpcHMKIAkke1JNfSAtZiAke1dSS1NSQ30vaW5jbHVkZS9v
cGVuc3NsL2ZpcHMuaAogCSR7Uk19IC1mICR7V1JLU1JDfS9pbmNsdWRlL29wZW5zc2wvZmlwc19y
YW5kLmgKLS5lbmRpZgogLmlmIGRlZmluZWQoV0lUSF9PUEVOU1NMX1RIUkVBRFMpCiAJY2QgJHtX
UktTUkN9IFwKIAkmJiAke1NFVEVOVn0gQ0M9IiR7Q0N9IiBGUkVFQlNEQ0M9IiR7Q0N9IiBDRkxB
R1M9IiR7Q0ZMQUdTfSIgUEVSTD0iJHtQRVJMfSIgXApAQCAtOTE4LDEzICs5MTcsNiBAQAogCS4v
Y29uZmlnIC0tcHJlZml4PSR7UFJFRklYfSAtLW9wZW5zc2xkaXI9JHtPUEVOU1NMRElSfSBcCiAJ
CS1MJHtQUkVGSVh9L2xpYiAke0VYVFJBQ09ORklHVVJFfQogLmVuZGlmCi0uaWYgZGVmaW5lZChX
SVRIX0ZJUFMpCi0JQCR7UkVJTlBMQUNFX0NNRH0gXAotCQktZSAnc3xeTUFORElSPS4qJCR8TUFO
RElSPSQkKE1BTlBSRUZJWCkvbWFufCcgXAotCQktZSAnc3xsaWIvcGtnY29uZmlnfGxpYmRhdGEv
cGtnY29uZmlnfGcnIFwKLQkJLWUgJ3N8TElCVkVSU0lPTj1bXiBdKiB8TElCVkVSU0lPTj0kKE9Q
RU5TU0xfU0hMSUJWRVIpIHwnIFwKLQkJJHtXUktTUkN9L01ha2VmaWxlCi0uZWxzZQogCUAke1JF
SU5QTEFDRV9DTUR9IFwKIAkJLWUgJ3N8Xk1BTkRJUj0uKiQkfE1BTkRJUj0kJChNQU5QUkVGSVgp
L21hbnwnIFwKIAkJLWUgJ3N8bGliL3BrZ2NvbmZpZ3xsaWJkYXRhL3BrZ2NvbmZpZ3xnJyBcCkBA
IC05NDksOCArOTQxLDcgQEAKIAkJLWUgJ3N8JCQoRklQU19STkdWUykkJChFWEVfRVhUKXx8JyBc
CiAJCS1lICdzfCQkKEZJUFNfVEVTVF9TVUlURSkkJChFWEVfRVhUKXx8JyBcCiAJCSR7V1JLU1JD
fS90ZXN0L01ha2VmaWxlCi0uZW5kaWYKLQlAKGNkICR7QlVJTERfV1JLU1JDfS8ke2l9ICYmICR7
U0VURU5WfSAke01BS0VfRU5WfSAke01BS0V9ICR7TUFLRV9GTEFHU30gJHtNQUtFRklMRX0gZGVw
ZW5kKQorCUAoY2QgJHtCVUlMRF9XUktTUkN9ICYmICR7U0VURU5WfSAke01BS0VfRU5WfSAke01B
S0V9ICR7TUFLRV9GTEFHU30gJHtNQUtFRklMRX0gZGVwZW5kKQogCiBwb3N0LWluc3RhbGw6CiAu
aWYgIWRlZmluZWQoTk9TSEFSRUQpCg==
--0016e6d7e06c7fe234047d0effb6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d873d5be1001130921x1aed2423gfb059947084090a6>