The current security check in bsd.openssl.mk ha some deficiencies: - it installs an OpenSSL port even when not necessary or not desired by the systems adminstrator: <http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011540.html> - it is disabled by WITH_OPENSSL_BASE=yes, which is the recommended workaround for this situation - it completely ignores vulnerable OpenSSL versions installed from ports, which makes the check somewhat pointless (why is a vulnerable base more of a problem than a vulnerable port?) Either the check should be eliminated or used consistently on the used OpenSSL version, no matter if it is from the base or a port, which is what the attached patch does. Fix: --- Mk/bsd.openssl.mk 8 Apr 2004 10:01:53 -0000 1.15 +++ Mk/bsd.openssl.mk 27 Apr 2004 00:20:50 -0000 @@ -42,19 +42,12 @@ WITH_OPENSSL_PORT=yes .endif -# if no preference was set, check for an up to date base version +# if no preference was set, check for an base version # but give an installed port preference over it. .if !defined(WITH_OPENSSL_BASE) && \ !defined(WITH_OPENSSL_BETA) && \ !defined(WITH_OPENSSL_PORT) && \ - !exists(${LOCALBASE}/lib/libcrypto.so) && \ - exists(/usr/include/openssl/opensslv.h) -# Security: version in base must be 0.9.7d or have fixes -# http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h -OPENSSLVER!= ${AWK} '/OPENSSL_VERSION_TEXT/ { print $$4; exit }' \ - /usr/include/openssl/opensslv.h -# check for safe versions in the base -.if ${OPENSSLVER} == "0.9.7a-p1" || ${OPENSSLVER} == "0.9.7c-p1" || ${OPENSSLVER} == "0.9.7d" + !exists(${LOCALBASE}/lib/libcrypto.so) WITH_OPENSSL_BASE=yes .endif .endif @@ -136,6 +129,17 @@ MAKE_ENV+= LDFLAGS="${LDFLAGS}" MAKE_ENV+= OPENSSLLIB=${OPENSSLLIB} OPENSSLINC=${OPENSSLINC} \ OPENSSLBASE=${OPENSSLBASE} OPENSSLDIR=${OPENSSLDIR} + +.if exists(${OPENSSLINC}/openssl/opensslv.h) +# Security: version must be 0.9.7d or have fixes +# http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h +OPENSSLVER!= ${AWK} '/OPENSSL_VERSION_TEXT/ { print $$4; exit }' \ + ${OPENSSLINC}/openssl/opensslv.h +# check for safe versions +.if ${OPENSSLVER} != "0.9.7a-p1" && ${OPENSSLVER} != "0.9.7c-p1" && ${OPENSSLVER} != "0.9.7d" +check-depends:: + @${ECHO_CMD} "Dependency warning: used OpenSSL version contains known vulnerabilities" +.endif ### crypto #RESTRICTED= "Contains cryptography."
Responsible Changed From-To: freebsd-ports-bugs->dinoex over to bsd.openssl.mk maintainer
> - it installs an OpenSSL port even when not necessary or not desired > by the systems adminstrator: > <http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011540.html> This case is rare, I agree to nectar commets here. > - it is disabled by WITH_OPENSSL_BASE=yes, which is the recommended workaround > for this situation correct. > - it completely ignores vulnerable OpenSSL versions installed from ports, > which makes the check somewhat pointless (why is a vulnerable base more of > a problem than a vulnerable port?) Vulnerabilitys from ports are covered by a diffrent port. AN outdated version will be reported by serverla tools. pkg_version, portungrade .... A check in "bsd.openssl.mk" will not work in most cases. Beside, users should update the complete ports-tree. > Either the check should be eliminated or used consistently on the used OpenSSL > version, no matter if it is from the base or a port, which is what the attached > patch does. The purpose of this check is to support older releases of FreeBSD with the current ports tree. So a default installtion of a port using openssl will be on the safe side. kind regards Dirk - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany - [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
Dirk Meyer wrote: >>- it installs an OpenSSL port even when not necessary or not desired >> by the systems adminstrator: >> <http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011540.html> > > This case is rare, I agree to nectar commets here. Other cases are <http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011378.html> <http://lists.freebsd.org/pipermail/freebsd-ports/2004-March/010753.html> <http://lists.freebsd.org/pipermail/freebsd-ports/2004-March/010500.html> more are in the archives. I seems like most people do not expect this behaviour, especially since it is not clearly mentioned why this happens. >>- it is disabled by WITH_OPENSSL_BASE=yes, which is the recommended workaround >> for this situation > > correct. Which does in no way relate to a security check. >>- it completely ignores vulnerable OpenSSL versions installed from ports, >> which makes the check somewhat pointless (why is a vulnerable base more of >> a problem than a vulnerable port?) > > Vulnerabilitys from ports are covered by a diffrent port. > AN outdated version will be reported by serverla tools. > pkg_version, portungrade .... Reporting is fine, that is what I like to see in bsd.openssl.mk too. > A check in "bsd.openssl.mk" will not work in most cases. > Beside, users should update the complete ports-tree. Why? I would not recommend to upgrade a working system if no security vulnerabilities are found. >>Either the check should be eliminated or used consistently on the used OpenSSL >>version, no matter if it is from the base or a port, which is what the attached >>patch does. > > The purpose of this check is to support older releases of FreeBSD > with the current ports tree. You could simply eliminate the check and still support older FreeBSD versions. > So a default installtion of a port using openssl will be on the safe side. I can not see the benefits of an changing dependency. Most installed ports that use a vulnerable version of OpenSSL have to be recompiled anyway, so this check does not fix problems, but gives people a wrong sense of security. Again: - the installation of a new port does not fix any security problems that exist on the system - it does not give any indication why the system suddenly changes its behaviour Reading the mailing lists I would assume that this feature confuses people more that it helps understanding security vulnerabilities. -Oliver
Oliver Eikemeier schrieb:, > Other cases are > <http://lists.freebsd.org/pipermail/freebsd-ports/2004-March/010500.html> > more are in the archives. I seems like most people do not expect this > behaviour, especially since it is not clearly mentioned why this happens. The Submitter clearly understand the effects. other reports are pointing to a bug with "LIB_DEPENDS", this has been resolved. > >>- it is disabled by WITH_OPENSSL_BASE=yes, which is the recommended workaro > >> for this situation > > > > correct. > > Which does in no way relate to a security check. It disables "Autodectection" Thast what we are talking about. > > A check in "bsd.openssl.mk" will not work in most cases. > > Beside, users should update the complete ports-tree. > > Why? I would not recommend to upgrade a working system if no security > vulnerabilities are found. "bsd.openssl.mk" don't recommend to upgrade a working system, when the verions found is "Known". > > The purpose of this check is to support older releases of FreeBSD > > with the current ports tree. > > You could simply eliminate the check and still support older FreeBSD versions No. The Autodection might othewise build vulnerable versions by default. A system might not expose an old base-openssl until a new port is build. > > So a default installtion of a port using openssl will be on the safe side. > > I can not see the benefits of an changing dependency. Most installed ports that > use a vulnerable version of OpenSSL have to be recompiled anyway, so this check > does not fix problems, but gives people a wrong sense of security. I can't follow your conclusion here. Only when ports/security/openssl is updated, the check in "bsd.openssl.mk" will be adopted. > Again: > - the installation of a new port does not fix any security problems that exist > on the system There might be no problem, the openssl in the base is rarely exposed to remote users. > - it does not give any indication why the system suddenly changes its behaviour We can generate an error here if you insists its better. Dirk - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany - [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
State Changed From-To: open->closed bsd.openssl.mk changed for: - Don't build with openssl port when base version is stale