Re: ports requiring OpenSSL not honouring OpenSSL from ports

Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> Yes, that is a reasonable expectation. I certainly had it in my head when I rebuilt Sendmail+TLS after heartbleed, but I didn't think of checking it.

Been there :-) Fortunately, sendmail 'does the right thing'!

> It would be good to add such options to as many ports as possible if it can be done cleanly.

This is more for ports@ than security@, but isn't mixing of 2 different versions potentially
problematic? I have noticed one port that links against base, but uses libcurl which links
against ports, so there is a version conflict there right away.

I'd expect that some magic would need to be done in the bsd.ports.Mk files, as you can't
necessarily tell from just scanning the port template.

> Also, note that this is not bashing on OpenSSL: given their new significant funding, I would certainly expect the OpenSSL project to be finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. It is basically impossible to fix such a bug without bad actors being able to determine and exploit some of the fixes in unpatched systems.

Ditto. My concern is more general, and aligned to the POLA principle!

Cheers,
Jamie

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"