As I can fix the vulnerability of linux-c6-openssl without breaking the ports?

[teo]

Hi Community


I it updated the ports with portsnap fetch update and portmaster -aD, and it keeps on giving the only vulnerability. I did of updating also the packages with pkg update and pkg upgrade.

# pkg audit -F
Fetching vuln.xml.bz2: 100%  473 KiB 121.1kB/s  00:04
linux-c6-openssl-1.0.1e_3 is vulnerable:
OpenSSL -- multiple vulnerabilities
CVE: CVE-2015-0288
CVE: CVE-2015-0209
CVE: CVE-2015-0293
CVE: CVE-2015-0292
CVE: CVE-2015-0289
CVE: CVE-2015-0287
CVE: CVE-2015-0286
CVE: CVE-2015-0204
WWW: http://vuxml.FreeBSD.org/freebsd/9d15355b-ce7c-11e4-9db0-d050992ecde8.html

1 problem(s) in the installed packages found.
#

 

[talsamon]

portmaster -aD -m DISABLE_VULNERABILITIES=yes

or
cd /usr/ports/security/[SIZE=4]linux-c6-openssl[/SIZE] and
make install clean DISABLE_VULNERABILITIES=yes


 

[teo]

portmaster -aD -m DISABLE_VULNERABILITIES=yes

or
cd /usr/ports/security/[SIZE=4]linux-c6-openssl[/SIZE] and
make install clean DISABLE_VULNERABILITIES=yes


Does not it affect me in anything like you advises me? I have the port installed emulators/linux-c6 for watching videos on Youtube.

 

[talsamon]

Sorry, was a missunderstood. Actual version is security/linux-c6-openssl 1.0.1e_4.
pkg update/ pkg upgrade has older packages as in the port. You should have the newest version with portmaster.

 

[teo]

Sorry, was a missunderstood. Actual version is security/linux-c6-openssl 1.0.1e_4.

The version of the vulnerable port is security/linux-c6-openssl 1.0.1e_3. As I can fix the vulnerability without breaking the ports? Or as I change to the new port without breaking the updated ports?

 

[talsamon]

Which version of security/openssl you have installed? If it's 1.0.1e_3 the vulnerability message is true. and have to update with portmaster. If you updated first with portmaster and after this with pkg update, pkg update reverted to the older version.

 

[junovitch@]

For packages, this week's set was built with SVN r381523. You can see this by browsing to the FreeBSD Poudriere servers here:
http://beefy2.isc.freebsd.org/build.html?mastername=101amd64-default&build=2015-03-18_03h47m09s

The fixed version, 1.0.1e_4, was introduced as of r382089.
https://svnweb.freebsd.org/ports?view=revision&revision=382089

That means the latest version will be available when packages get built next week.

 

[teo]

Which version of security/openssl you have installed?

The security version is vuxml-1.1_2. And I have already upgraded with portmaster as I said in the first comment.

# pkg info vuxml
vuxml-1.1_2
Name  : vuxml
Version  : 1.1_2
Installed on  : Mon Jan  5 20:58:36 CET 2015
Origin  : security/vuxml
Architecture  : freebsd:10:x86:32
Prefix  : /usr/local
Categories  : textproc security
Licenses  : BSD2CLAUSE
Maintainer  : ports-secteam@FreeBSD.org
WWW  : UNKNOWN
Comment  : Vulnerability and eXposure Markup Language DTD
Annotations  :
Flat size  : 39.5KiB
Description  :
VuXML (the Vulnerability and eXposure Markup Language) is an XML
application for documenting security bugs and corrections within
a software package collection such as the FreeBSD Ports Collection.
This port installs the DTDs required for validating VuXML documents.

 

[talsamon]

I it updated the ports with portsnap fetch update and portmaster -aD, and it keeps on giving the only vulnerability. I did of updating also the packages with pkg update and pkg upgrade.

I did not understand this line. Did you both? (update with portmaster and with pkg update).

 

[teo]

I did not understand this line. Did you both?

Sorry, I was confused me, there is no version of OpenSSL installed. The vulnerability is security/linux-c6-openssl 1.0.1e_3.

 

[talsamon]

Yes, and it's all said, whats to say.

 

[teo]

I did not understand this line. Did you both? (update with portmaster and with pkg update).

I already updated with portmaster and pkg, as I said at the beginning and it keeps on giving the only vulnerability.

 

[talsamon]

In which order? As I write: if you updated with pkg update after portmaster, you will have the older version again.

 

[wblock@]

portmaster -aD -m DISABLE_VULNERABILITIES=yes

or
cd /usr/ports/security/linux-c6-openssl and
make install clean DISABLE_VULNERABILITIES=yes

Please do not advise this without pointing out that it overrides the safety that is meant to keep your system secure. It should never be used routinely.

 

[talsamon]

wblock@: As I updated security/linux-c6-openssl portmaster stopps with the vulnerability-message. I updated in the port with DISABLE_VULNERABILTY=yes. It doesn't work in the normal way, why ever.

 

[teo]

In which order?

First I did with portsnap fetch update, then I did with portmaster -aD, and I finally did for packages with pkg update and
pkg upgrade.

 

[wblock@]

wblock@: As I updated linux-c6-openssl portmaster stopps with the vulnerability-message. I updated in the port with DISABLE_VULNERABILTY=yes. It doesn't work in the normal way, why ever.

It does not work in the normal way because the system is trying to protect you from installing software with known vulnerabilities. Any suggestion of using DISABLE_VULNERABILITIES should come with a warning: this is dangerous, do not use it without understanding the security implications.

 

[teo]

Any suggestion of using DISABLE_VULNERABILITIES should come with a warning: this is dangerous, do not use it without understanding the security implications.

What must I do? Thanks for the answers.

 

[talsamon]

then I did with portmaster - aD, and I finally did for packets with pkg update and
pkg upgrade.

You should not do both and it's not necessary. Either update with portmaster or with pkg update.
If you want fix now vulnerability, you have update with portmaster, to get the fixed version.
If this does not work, (try the "normal" way without DISABLE_VULNERABILITY) cd /usr/ports/security/linux-c6-openssl and make install clean.

 

[talsamon]

If you update with portmaster or ports and pkg update, you will get an inconsistent and puzzled system.

 

[teo]

If you want fix now vulnerability, you have update with portmaster, to get the fixed version.
.

Update ports:

# portmaster -aD
===>>> Starting check of installed ports for available updates

===>>> All ports are up to date
#

Remember that I'm using XFCE desktop, is my first FreeBSD well configured in virtualbox, and I do not want to spoil it. I love FreeBSD in graphical desktop.

Update packages and repository:

# pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (115 candidates): 100%
Processing candidates (115 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
#

Still gives the same problem.

 

[talsamon]

And pkg info linux-c6-openssl says linux-c6-openssl-1.0.1e_3 ?

 

[teo]

And pkg info linux-c6-openssl says linux-c6-openssl-1.0.1e_3 ?

This is what informs the system of linux-c6-openssl-1.0.1e_3

# pkg info linux-c6-openssl-1.0.1e_3
linux-c6-openssl-1.0.1e_3
Name  : linux-c6-openssl
Version  : 1.0.1e_3
Installed on  : Wed Feb 18 21:30:35 CET 2015
Origin  : security/linux-c6-openssl
Architecture  : freebsd:10:x86:32
Prefix  : /compat/linux
Categories  : security linux
Licenses  :
Maintainer  : emulation@FreeBSD.org
WWW  : http://www.openssl.org/
Comment  : OpenSSL toolkit (Linux CentOS 6.6)
Annotations  :
   repo_type  : binary
   repository  : FreeBSD
Flat size  : 3.87MiB
Description  :
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
(TLS v1) protocols with full-strength cryptography world-wide. The
project is managed by a worldwide community of volunteers that use
the Internet to communicate, plan, and develop the OpenSSL tookit
and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric
A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
an Apache-style licence, which basically means that you are free
to get and use it for commercial and non-commercial purposes subject
to some simple license conditions.

WWW: http://www.openssl.org/
WWW: http://sctp.fh-muenster.de/dtls-patches.html

 

[talsamon]

What tells uname -a?
Is something in /etc/make.conf or /etc/libmap.conf?
Try to fetch a new portstree with rm /var/db/portsnap/tag and portsnap fetch extract and after that try again with portmaster.

 

[teo]

What tells uname -a?
Is something in /etc/make.conf or /etc/libmap.conf?
Try to fetch a new portstree with rm /var/db/portsnap/tag portsnap fetch extract and after that try again with portmaster.

The ports do not break when deleting files with rm /var/db/portsnap/tag; portsnap fetch extract?

In uname -a

FreeBSD gateway.fbdtem.com 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 22:51:51 UTC 2014  root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386

In /etc/make.conf

# ee /etc/make.conf

OVERRIDE_LINUX_BASE_PORT=c6
OVERRIDE_LINUX_NONBASE_PORTS=c6

In /etc/libmap.conf

# ee /etc/libmap.conf

# $FreeBSD: releng/10.1/etc/libmap.conf 253853 2013-08-01 05:50:42Z jlh $
includedir /usr/local/etc/libmap.d