Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl

From: Giorgos Keramidas (keramida_at_freebsd.org)
Date: 10/12/05

  • Next message: jere: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl" 
    Date: Wed, 12 Oct 2005 15:35:21 +0300
To: jimmy@inet-solutions.be

    On 2005-10-11 18:37, jimmy@inet-solutions.be wrote:
    >Quoting jere <jere@htnet.hr>:
    >> unfortunately, this is the dark side of FreeBSD security patch
    >> management :) and I think also the main reason FreeBSD isn't so widely
    >> deployed into enterprise environments. It's ok for hacking or managing
    >> few boxes but try to imagine how to manage security on hundreds of them
    >> this way. :(
    >>
    >> on the other side (bright side :) you can try to use unofficial and
    >> often somewhat slowly updating solutions such as bsdupdate
    >> (www.bsdupdates.com) or freebsd-update (from ports tree).
    >>
    >> currently, FreeBSD just don't have a mechanism to handle security
    >> advisories in quick way.
    >>
    >> any suggestions/corrections ?
    >
    > What I meant was: "why compile everything instead of just openssl"
    > I'm thinking about this question since the last openssl issue in FreeBSD.

    Because it's the easiest way (read "the most easy way to automate for
    thousands of machines, through a few well selected build machines")
    to make sure that you get *ALL* the dependencies right.

    The alternative of manually fiddling with makefiles under /usr/src may
    be ok for hacker-style, experimental installations, where a few hours of
    breakage may be ok. This is _UNACCEPTABLE_ in a large setup.
    Especially if one considers that large setups can make use of network
    booting from preinstalled images, which have been asynchronously
    updated, for any number of machines, to include the fixes.

    I don't see anything wrong with that.

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: jere: "Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl"

    Relevant Pages

    • RE: PAWS security vulnerability
      ... FreeBSD security list" isn't grammatically correct. ... "I told you to post the patch and info to the appropriate FreeBSD security ... "...This point and others are often discussed on the mailing lists, ...
      (freebsd-questions)
    • Changes to FreeBSD security support policy
      ... for tracking security fixes to FreeBSD 4.3-RELEASE: ... This eliminates support for the class of vulnerabilities exploitable ...
      (FreeBSD-Security)
    • Re: FreeBSD Security Survey
      ... I think it would substantially reduce the reliability and security. ... automatically installing arbitrary "fixes" on a production ... Specific FreeBSD versions aren't maintained forever. ... particular machines need to be updated to a newer version. ...
      (FreeBSD-Security)
    • Re: FreeBSD Security Survey
      ... I think it would substantially reduce the reliability and security. ... automatically installing arbitrary "fixes" on a production ... Specific FreeBSD versions aren't maintained forever. ... particular machines need to be updated to a newer version. ...
      (freebsd-stable)
    • RE: FreeBSD Security Survey
      ... Your also ignoring the fact that many security holes are a lot ... queries to this server to the NAS only. ... server with a new version of FreeBSD. ... Your survey responses lack any responses that indicate that leaving ...
      (freebsd-questions)