With the import of OpenSSL 0.9.8n into 8.1-RELEASE and subsequent 8-STABLE, it is no longer necessary to install the security/openssl port for versions >= 8.1. Note that I had to set --with-openssl-dir="" manually in the patch because I need the OSVERSION variable from <bsd.port.pre.mk> in the conditional, which also assigns OPENSSLBASE based on the stuff that comes before the .include <bsd.port.pre.mk>, so I cannot use that.
Responsible Changed From-To: freebsd-ports-bugs->miwi Over to maintainer (via the GNATS Auto Assign Tool)
On 10/4/10, b. f. <bf1783@googlemail.com> wrote: > The patch in the PR is wrong, and so is my handling of a similar case > in security/tor-devel. I've got an updated patch, which I'll submit > to you soon, after I try to fix my tinderbox, which keeps bringing my > machine down. Well, my @#@%$^$ tinderbox is still crashing in the regression-test target when building lang/perl5.10. Anyway, here is a patch that ought to fix the issue in ports/151181. The way to use openssl conditionally is to include bsd.openssl.mk once, and only once, after deciding whether WITH_OPENSSL_PORT needs to be set. (This is similar to other ports that use openssl conditionally, like, for example, ftp/wget.) Otherwise, if you use the patch originally proposed in the PR, you bypass safety checks, set a bunch of conflicting variables in the build environment, prevent users on recent versions of the OS from using openssl from ports if they want to do so, and fail to add dependencies on the openssl port on older versions of the OS when the user hasn't already installed the port beforehand, or defined WITH_OPENSSL_PORT manually, among other problems. b.
I think b.f. is right. Since something similar is already up and working in tor-devel, can this please be committed as soon as possible? Cheers, Pascal
Also, please note that Tor 0.2.1.26 is not compatible to OpenSSL 0.9.8p and 1.0.0b (for relays). Updating to 0.2.1.27 is trivial: --- Makefile.old 2010-11-26 20:25:53.438853946 +0100 +++ Makefile 2010-11-26 20:21:28.561240507 +0100 @@ -6,8 +6,7 @@ # PORTNAME= tor -DISTVERSION= 0.2.1.26 -PORTREVISION= 2 +DISTVERSION= 0.2.1.27 CATEGORIES= security net ipv6 MASTER_SITES= http://www.torproject.org/dist/ \ http://tor.cypherpunks.at/dist/ \ @@ -23,8 +22,6 @@ GNU_CONFIGURE= yes CPPFLAGS+= -I${LOCALBASE}/include CONFIGURE_ENV+= CPPFLAGS="${CPPFLAGS}" -USE_OPENSSL= yes -WITH_OPENSSL_PORT= yes CONFIGURE_ARGS+= --with-openssl-dir="${OPENSSLBASE}" OPTIONS= BUFFREELISTS "freelists for buffer RAM" on \ @@ -47,6 +44,12 @@ .include <bsd.port.pre.mk> +.if (${OSVERSION} < 801000 || (${OSVERSION} >= 900000 && ${OSVERSION} < 900011)) +WITH_OPENSSL_PORT= yes +.endif + +.include "${PORTSDIR}/Mk/bsd.openssl.mk" + .if defined(WITH_BUFFREELISTS) CONFIGURE_ARGS+= --enable-buf-freelists .else --- distinfo.old 2010-05-25 13:29:30.000000000 +0200 +++ distinfo 2010-11-26 20:23:06.991467916 +0100 @@ -1,3 +1,2 @@ -MD5 (tor-0.2.1.26.tar.gz) = f7b30a144e1da41aa43f496bd47ffba7 -SHA256 (tor-0.2.1.26.tar.gz) = 6cdc60ed0b2e3eb790cbf37741a3c86a004f4f7c6678e25b9b936d6a340c7fa2 -SIZE (tor-0.2.1.26.tar.gz) = 2405749 +SHA256 (tor-0.2.1.27.tar.gz) = ec4d5c67231551d5ee3bf6cbccb87fccac3491fbe80f1d3fb778ad6b3d3f661c +SIZE (tor-0.2.1.27.tar.gz) = 2484332
Update to 0.2.1.28. Security update, remote heap overflow (CVE-2010-1676). Maybe even remote code execution, so this is urgent! --- Makefile.orig 2010-12-20 20:11:22.000000000 +0100 +++ Makefile 2010-12-20 20:13:52.000000000 +0100 @@ -6,8 +6,7 @@ # PORTNAME= tor -DISTVERSION= 0.2.1.26 -PORTREVISION= 2 +DISTVERSION= 0.2.1.28 CATEGORIES= security net ipv6 MASTER_SITES= http://www.torproject.org/dist/ \ http://tor.cypherpunks.at/dist/ \ @@ -23,8 +22,6 @@ GNU_CONFIGURE= yes CPPFLAGS+= -I${LOCALBASE}/include CONFIGURE_ENV+= CPPFLAGS="${CPPFLAGS}" -USE_OPENSSL= yes -WITH_OPENSSL_PORT= yes CONFIGURE_ARGS+= --with-openssl-dir="${OPENSSLBASE}" OPTIONS= BUFFREELISTS "freelists for buffer RAM" on \ @@ -47,6 +44,12 @@ .include <bsd.port.pre.mk> +.if (${OSVERSION} < 801000 || (${OSVERSION} >= 900000 && ${OSVERSION} < 900011)) +WITH_OPENSSL_PORT=yes +.endif + +.include "${PORTSDIR}/Mk/bsd.openssl.mk" + .if defined(WITH_BUFFREELISTS) CONFIGURE_ARGS+= --enable-buf-freelists .else --- distinfo.orig 2010-05-25 13:29:30.000000000 +0200 +++ distinfo 2010-12-20 20:14:02.000000000 +0100 @@ -1,3 +1,2 @@ -MD5 (tor-0.2.1.26.tar.gz) = f7b30a144e1da41aa43f496bd47ffba7 -SHA256 (tor-0.2.1.26.tar.gz) = 6cdc60ed0b2e3eb790cbf37741a3c86a004f4f7c6678e25b9b936d6a340c7fa2 -SIZE (tor-0.2.1.26.tar.gz) = 2405749 +SHA256 (tor-0.2.1.28.tar.gz) = fe9756bee3228bf01334f743b7c74dd1edc83e5489f032737ce24eb6bdb19cbf +SIZE (tor-0.2.1.28.tar.gz) = 2471741
Responsible Changed From-To: miwi->bf plz take over :-)
bf 2011-01-01 18:36:01 UTC FreeBSD ports repository Modified files: security/tor Makefile Log: - update MASTER_SITES on the basis of distilator results and: http://www.torproject.org/getinvolved/mirrors.html.en - fix conditional openssl requirements [1] (thanks to Pascal Stumpf for raising this issue, and that of CVE 2010-1676) PR: 151181 [1] Approved by: makc, miwi (mentors, implicit) Revision Changes Path 1.60 +22 -5 ports/security/tor/Makefile _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, with minor changes. Thanks!