Hi, I run a few web servers with need to be PCI compliant. Apparently there's a problem with OpenSSL 0.9.8k that requires us to upgrade to 0.9.8l for us to maintain our compliance level. I've csup'd to RELENG_8_0 and did a build/install cycle and OpenSSL is still at 0.9.8k. Using RELENG_8 isn't really an option for me because the last I upgraded to that level, ipfw was broken and I'm not sure that the problem with ipfw has been fixed (Luigi tells me that it has, but I haven't had time to test it yet). Is there any movement to patch RELENG_8_0 with OpenSSL 0.9.8l? Or will I be stuck with 0.9.8k until I move to RELENG_8? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
> This isn't an answer to your question, but you could > always use OpenSSL from the ports tree.I'm hesitant to do so because in the past I've had problem when I've used the ports to upgrade base OS-level stuff, like OpenSSL or Sendmail, then the buildworld cycle overwrites the ports library and the ports library overwrites the OS-level stuff and so on, which in the past has caused general mayhem. It seems to me that the exploits purported to exist in 0.9.8k are serious enough to merit an upgrade to 0.9.8l for everyone. Is there a reason why you wouldn't want to upgrade to 0.9.8l? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg@soe.ucsc.edu 831-459-5354
On Sat, Apr 17, 2010 at 10:49 AM, Tim Gustafson <tjg@soe.ucsc.edu> wrote:> Hi, > > I run a few web servers with need to be PCI compliant. ?Apparently there's a problem with OpenSSL 0.9.8k that requires us to upgrade to 0.9.8l for us to maintain our compliance level. > > I've csup'd to RELENG_8_0 and did a build/install cycle and OpenSSL is still at 0.9.8k. ?Using RELENG_8 isn't really an option for me because the last I upgraded to that level, ipfw was broken and I'm not sure that the problem with ipfw has been fixed (Luigi tells me that it has, but I haven't had time to test it yet). > > Is there any movement to patch RELENG_8_0 with OpenSSL 0.9.8l? ?Or will I be stuck with 0.9.8k until I move to RELENG_8? > > Tim GustafsonThis isn't an answer to your question, but you could always use OpenSSL from the ports tree. http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/openssl/ It's at version 1.0.0.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010/04/17 07:49, Tim Gustafson wrote:> Hi, > > I run a few web servers with need to be PCI compliant. Apparently there's a problem with OpenSSL 0.9.8k that requires us to upgrade to 0.9.8l for us to maintain our compliance level. > > I've csup'd to RELENG_8_0 and did a build/install cycle and OpenSSL is still at 0.9.8k. Using RELENG_8 isn't really an option for me because the last I upgraded to that level, ipfw was broken and I'm not sure that the problem with ipfw has been fixed (Luigi tells me that it has, but I haven't had time to test it yet). > > Is there any movement to patch RELENG_8_0 with OpenSSL 0.9.8l? Or will I be stuck with 0.9.8k until I move to RELENG_8?RELENG_8_0 is considered as "frozen" which means we will do massive upgrade there. RELENG_8 would have the latest OpenSSL. Note that "cheery picking" style of changes _may_ be permitted on RELENG_8_0 per re@ and security-officer@'s decision. If you know what the problem is, please feel free to let secteam@FreeBSD.org know, ideally with a reference to OpenSSL bug tracking system, a CVE number, etc. so we will be able to handle it more quickly. We do have patched RELENG_8_0 before 8.0-RELEASE for a few SSL protocol flaws. http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc Hope this helps. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJLyeUyAAoJEATO+BI/yjfB1+MH/09y/TwPiSBwo/du9g3MdUX/ hiT0zI1FKgjEVEYw/QkEKD5F5TJLVQqhmgrW//JYzpVYt2w+QVZuEbuH2Mtf/wXk 6Py8Un3mUjeC7O2gEKmi0XgWX5cyFPariF4DGiXrZE0aO1y3xg/9SYwvuYX2dXdQ 4loqv4A74qTDiBedm/dLVFG7wlED5Tk03fgtvbyhbdEH5Dy7JnvUvgUc1P4/c2dN zkBs4lRn+zd31itORyq1HmvmD5dWcpbXeEyb7OoSDZAsreCWfn5I623oEdhoumem bJWsv8pSU6qc9ENY5Oot4CLhnweT3UvnMBTebM4egqG9YSvTwIRDqaVkHaPLdtw=UH5d -----END PGP SIGNATURE-----
Tim Gustafson <tjg@soe.ucsc.edu> writes:> I run a few web servers with need to be PCI compliant. Apparently > there's a problem with OpenSSL 0.9.8k that requires us to upgrade to > 0.9.8l for us to maintain our compliance level. > > I've csup'd to RELENG_8_0 [...]RELENG_8_0 is 8.0 + critical bug fixes. If you're not too pressed for time, 8.1 is "only" a couple of months away and will hopefully ship with 0.9.8n which is what we currently have in head. DES -- Dag-Erling Sm?rgrav - des@des.no