openssl-1.0.2_15,1 is vulnerable

I have two FreeBSD 10.3 servers an audit shows the following

Code:
pkg audit
openssl-1.0.2_15,1 is vulnerable:
OpenSSL -- multiple vulnerabilities
CVE: CVE-2016-6308
CVE: CVE-2016-6307
CVE: CVE-2016-6306
CVE: CVE-2016-2181
CVE: CVE-2016-2179
CVE: CVE-2016-2178
CVE: CVE-2016-2177
CVE: CVE-2016-2180
CVE: CVE-2016-2182
CVE: CVE-2016-6302
CVE: CVE-2016-6303
CVE: CVE-2016-2183
CVE: CVE-2016-6305
CVE: CVE-2016-6304
WWW: https://vuxml.FreeBSD.org/freebsd/43eaa656-80bc-11e6-bf52-b499baebfeaf.html

I run the following

Code:
pkg update
pkg upgrade

Still pkg audit shows the same vulnerabilities. How can I force openssl to upgrade to a secure version?

Thanks,
Tim
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer
There simply isn't a new version in the ports tree yet (hence no binary package).

Code:
PORTNAME=       openssl
PORTVERSION=    1.0.2
DISTVERSIONSUFFIX=      h
PORTREVISION=   15
PORTEPOCH=      1
 
pkg audit showed a strange behavior on 11-RC1:
Code:
libxml2 -- multiple vulnabilities

Could this be called a spelling regression? :D
Anyway, the pkg update / pkg upgrade worked fine here.
 
The patches are still not available, seems like a lack of taken security seriously within FreeBSD.
 
I recently switched to use LibreSSL. You can add DEFAULT_VERSIONS = ssl=libressl in /etc/make.conf and recompile your ports. There's a dirty hack to include LibreSSL in the base system but its not stable. Hopefully FreeBSD will start to use LibreSSL in its base system soon as many other distros have started to use LibreSSL in their base system.
 
I read that starting with FreeBSD 11 LibreSSL will be default and openSSL support maybe dropped altogether. So will LibreSSL work with any existing port under 10.3? Currently I'm only concerned with nginx, apache24, pound, and ngircd. I don't really want to be bothered with testing this at the moment. Since OpenSSL is part of the base system I would expect to see an effort of releasing security patches in a timely manner until the day OpenSSL support is dropped completely. o_O
 
Most ports will work. I use FreeBSD 10.3 and Nginx, Dovecot, and Postfix works fine with LibreSSL. I don't use Apache so I can't comment.

Curl will throw an error during compilation so you might want to disable one option TLS_SRP.
 
Is there a current workaround planned for 10.x and 11.x via make.conf or src.conf options to include LibreSSL in base system during 'build world'?

I doubt that. It would require backporting of huge amounts of code from CURRENT to those releases to fix all consumers of OpenSSL that make assumptions about availability of certain features that have been removed in LibreSSL.
 
I doubt that. It would require backporting of huge amounts of code from CURRENT to those releases to fix all consumers of OpenSSL that make assumptions about availability of certain features that have been removed in LibreSSL.

In another word, we will have to wait for 2 to 3 years before FreeBSD 12 will be released. That will be unacceptable for some people or companies who takes security seriously.
 

SirDice

Administrator
Staff member
Administrator
Moderator
Although there have been some problems with OpenSSL lately, issues are picked up and patched quite quickly. So I very much doubt this is as big of a problem as you imply.
 
In theory the upcoming 10.4-RELEASE could use LibreSSL (if introduced in stable/10 now) but that would break the ABI meaning that binaries compiled on 10.3 wouldn't work out of the box on 10.4. That's a promise you don't want to break.
 
Although there have been some problems with OpenSSL lately, issues are picked up and patched quite quickly. So I very much doubt this is as big of a problem as you imply.

True but still it's unacceptable for some people (not me) as they might think there are other serious security issues which hasn't been reported or resolved. There are several major security issues this year including DROWN attack and the recent one. That is enough to cause concerns about OpenSSL reliability.

TrueOS (formerly PC-BSD) and HardenedBSD currently have LibreSSL in their base system.

Anyway, there's a workaround for FreeBSD presently on LibreBSD (https://github.com/Sp1l/LibreBSD).
 
DragonFly master branch also has LibreSSL in the base system, although it's "private" meaning only base programs and libraries use it. Everything else has to use LibreSSL or OpenSSL from ports. That sets DragonFly apart slightly as TrueOS and HardenedBSD's libreSSL are available for public use.
 
You have to use subversion to pull in the source codes and compile FreeBSD. pkg won't be updated for at least few days but source codes is available immediately. I'm doing the 'build world' right now.
 

SirDice

Administrator
Staff member
Administrator
Moderator
Packages used to be built once a week (every Wednesday IIRC) but this schedule may have been changed already. There was some discussion how often it should and can be done.

Ports tend to be updated quite quickly, packages will always lag behind a bit. That's an important reason why a lot of us build our own repositories. Setting up your own repository will also "solve" the other issue, it's easy to set LibreSSL as the default instead of OpenSSL.
 
Top