Re: About the openssl hole
From: Darren Pilgrim (dmp@pantherdragon.org)
Date: 07/31/02
- Next message: Christopher Schulte: "Re: Are OpenSSL bugs related to OpenSSH ?"
- Previous message: Adrian Penisoara: "Re: Are OpenSSL bugs related to OpenSSH ?"
- Maybe in reply to: Geir Råness: "About the openssl hole"
- Next in thread: Michael Sharp: "Re: About the openssl hole"
- Reply: Michael Sharp: "Re: About the openssl hole"
- Reply: patpro: "Re: About the openssl hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Jul 2002 18:41:03 -0700 From: Darren Pilgrim <dmp@pantherdragon.org> To: gabriel_ambuehl@buz.ch
Gabriel Ambuehl wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hello Geir,
>
> Tuesday, July 30, 2002, 6:56:12 PM, you wrote:
>
> > I talked with an freind of mine who tried this solution, and he told
> me that it where only one patch that failed.
> > If you remove the patch "patch-ah" the build will go fine.
>
> > But as many know, the port of openssl will not completly replace the
> core openssl.
> > (You could see this if you build mod_ssl)
>
> Well I could live without mod_ssl for the next hours, but I can't just
> go shutdown ssh on all boxes cause that would mean I'd have to go
> onsite to some 4 NOCs (two of them on the other side of the world) to
> have SSH get backup. Hmm. Maybe I'll just shut all SSL stuff down and
> have the NOC monkeys reboot them when the patch is here....
>
> What's happening (I suppose) is that the port gets installed to
> /usr/local/lib whereas the the old version still is in /usr/lib where
Use -DOPENSSL_OVERWRITE_BASE. I recommend people install the OpenSSL
port anyway, it gives you all those nifty extra programs that the
maintainer(s) for the in-base openssl has seen fit not to include.
> it belongs to as part of the base system which means that you probably
> have to overwrite the old lib by hand but I wouldn't want to guarantee
> that nothing is going to break if you do this.
I can say from personal experience that installing the openssl port
with -DOPENSSL_OVERWRITE_BASE doesn't break anything I've found or
use (openssh, mod_ssl, courier_imap, and postfix).
> To make it short: it's
> probably best to just wait and update your boxes ASAP
Why take down the whole machine, when you can use a port to just patch
the broke part? That's what was so great about the OpenSSH port, it
let a lot of people who couldn't make world or reinstall upgrade their
copies of OpenSSH.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Christopher Schulte: "Re: Are OpenSSL bugs related to OpenSSH ?"
- Previous message: Adrian Penisoara: "Re: Are OpenSSL bugs related to OpenSSH ?"
- Maybe in reply to: Geir Råness: "About the openssl hole"
- Next in thread: Michael Sharp: "Re: About the openssl hole"
- Reply: Michael Sharp: "Re: About the openssl hole"
- Reply: patpro: "Re: About the openssl hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
