On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote:> Note: The OpenSSL project has published publicly available patches for > versions included in FreeBSD 12.x. This vulnerability is also known to > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > project is only giving patches for that version to premium support contract > holders. The FreeBSD project does not have access to these patches and > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > may update this advisory to include FreeBSD 11.4 should patches become > publicly available.So I'm looking for suggestion on how to handle this. I guess I'll just upgrade some 11.4 to 12.2 and that'll be it. However there are a few boxes I can't or don't want to upgrade and I'm thinking about using openssl from ports. If I'm correct, I'll need to put "DEFAULT_VERSIONS= ssl=openssl" either in /etc/make.conf and/or in /usr/local/etc/poudriere.d/114amd64-make.conf. I started with the latter, but a bulk run ended up in some port failing (and a lot being skipped) due to kerberos support: AFAICT I cannot use base's kerberos with ports' openssl. Which is a better replacement: MIT or HEIMDAL? Then I think I'll just need "pkg upgrade -f", where I'm using packages. I still have some systems, however, that are using portupgrade: perhaps I can convert some to packages, but others have to stay like this for the moment. Will "portupgrade -Fa" do or do I need something more complex? bye & Thanks av.
Andrea Venturoli <ml at netfence.it> wrote on 2020-12-11:> On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: > > > Note: The OpenSSL project has published publicly available patches for > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > project is only giving patches for that version to premium support contract > > holders. The FreeBSD project does not have access to these patches and > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > may update this advisory to include FreeBSD 11.4 should patches become > > publicly available. > > So I'm looking for suggestion on how to handle this. > I guess I'll just upgrade some 11.4 to 12.2 and that'll be it.The fix was already backported to stable/11 so it's now "publicly available": https://svnweb.freebsd.org/base?view=revision&revision=368530 I expect that releng/11.4 will receive the fix in the near future. Fabian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20201211/19086f0c/attachment.sig>
On Fri, Dec 11, 2020 at 11:11:54AM +0100, Andrea Venturoli wrote:> On 12/10/20 12:03 AM, FreeBSD Security Advisories wrote: > > > Note: The OpenSSL project has published publicly available patches for > > versions included in FreeBSD 12.x. This vulnerability is also known to > > affect OpenSSL versions included in FreeBSD 11.4. However, the OpenSSL > > project is only giving patches for that version to premium support contract > > holders. The FreeBSD project does not have access to these patches and > > recommends FreeBSD 11.4 users to either upgrade to FreeBSD 12.x or leverage > > up to date versions of OpenSSL in the ports/pkg system. The FreeBSD Project > > may update this advisory to include FreeBSD 11.4 should patches become > > publicly available. > > So I'm looking for suggestion on how to handle this. > I guess I'll just upgrade some 11.4 to 12.2 and that'll be it. > > However there are a few boxes I can't or don't want to upgrade and I'm > thinking about using openssl from ports. > > > > If I'm correct, I'll need to put "DEFAULT_VERSIONS= ssl=openssl" either > in /etc/make.conf and/or in /usr/local/etc/poudriere.d/114amd64-make.conf. > > I started with the latter, but a bulk run ended up in some port failing > (and a lot being skipped) due to kerberos support: AFAICT I cannot use > base's kerberos with ports' openssl. Which is a better replacement: MIT > or HEIMDAL?It would be useful to give more specifics on the failures, as there's a few classes of things that can go wrong. It doesn't look like openssl from ports attempts to support the TLS ciphers with kerberos, which would rule out the "openssl tries to depend on kerberos" class of issues. I assume, then, that you're running into API conflicts where hcrypto and libcrypto present similar-named symbols, in which case MIT would be preferred. (The heimdal in base is quite old anyway, and using an external kerberos would be recommended in general if you're using it for much.) -Ben