Re: About the openssl hole
From: Michael Sharp (freebsd@ec.rr.com)
Date: 07/31/02
- Next message: Darren Pilgrim: "Re: About the openssl hole"
- Previous message: Fred Condo: "Old SSL libraries lying around"
- In reply to: Darren Pilgrim: "Re: About the openssl hole"
- Next in thread: Darren Pilgrim: "Re: About the openssl hole"
- Reply: Darren Pilgrim: "Re: About the openssl hole"
- Reply: Petr Swedock: "Re: About the openssl hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Jul 2002 17:32:09 -0400 (EDT) From: "Michael Sharp" <freebsd@ec.rr.com> To: <dmp@pantherdragon.org>
Regarding using a port to fix a core issue. I so toatally disagree.
Each port/package that is installed on a FreeBSD box degrades the security
profile in small increments. My thoughts, use core as much as you can,
and use ports sparingly. I had 4 services exposed to the net that relied
on the bad OpenSSL. I chose to wait out the core team to fix things. Yes,
my website might have been down for 8 hrs, mail as well.. etc... but so
what? However, I'm not a 1000 hit a day business either so I guess one
could argue the wait for core/install a port issue there. But I have found
that core typically goes right to work on a issue, and a fix is out within
hrs.
Just my 2 cents
michael
> Gabriel Ambuehl wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> Hello Geir,
>>
>> Tuesday, July 30, 2002, 6:56:12 PM, you wrote:
>>
>> > I talked with an freind of mine who tried this solution, and he told
>> me that it where only one patch that failed.
>> > If you remove the patch "patch-ah" the build will go fine.
>>
>> > But as many know, the port of openssl will not completly replace the
>> core openssl.
>> > (You could see this if you build mod_ssl)
>>
>> Well I could live without mod_ssl for the next hours, but I can't just
>> go shutdown ssh on all boxes cause that would mean I'd have to go
>> onsite to some 4 NOCs (two of them on the other side of the world) to
>> have SSH get backup. Hmm. Maybe I'll just shut all SSL stuff down and
>> have the NOC monkeys reboot them when the patch is here....
>>
>> What's happening (I suppose) is that the port gets installed to
>> /usr/local/lib whereas the the old version still is in /usr/lib where
>
> Use -DOPENSSL_OVERWRITE_BASE. I recommend people install the OpenSSL
> port anyway, it gives you all those nifty extra programs that the
> maintainer(s) for the in-base openssl has seen fit not to include.
>
>> it belongs to as part of the base system which means that you probably
>> have to overwrite the old lib by hand but I wouldn't want to guarantee
>> that nothing is going to break if you do this.
>
> I can say from personal experience that installing the openssl port with
> -DOPENSSL_OVERWRITE_BASE doesn't break anything I've found or use
> (openssh, mod_ssl, courier_imap, and postfix).
>
>> To make it short: it's
>> probably best to just wait and update your boxes ASAP
>
> Why take down the whole machine, when you can use a port to just patch
> the broke part? That's what was so great about the OpenSSH port, it let
> a lot of people who couldn't make world or reinstall upgrade their
> copies of OpenSSH.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Darren Pilgrim: "Re: About the openssl hole"
- Previous message: Fred Condo: "Old SSL libraries lying around"
- In reply to: Darren Pilgrim: "Re: About the openssl hole"
- Next in thread: Darren Pilgrim: "Re: About the openssl hole"
- Reply: Darren Pilgrim: "Re: About the openssl hole"
- Reply: Petr Swedock: "Re: About the openssl hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
