Problem with openssl port dependency on ngnix update

R

Radibor

Hello,

I have a FreeBSD 10.3 system running with nginx-1.8.1,2 installed. I'm using openssl(1) from the base system so no security/openssl port installed currently. When I now try to update NGINX to nginx-1.10.1,2 via portmaster(8) the update wants to install the security/openssl port as a dependency, which is a problem for 2 reasons: 1st: I want to use the base system openssl(1) prior to the ports version whenever possible, 2nd: the current security/openssl version in ports throws a security issue upon installation attempt anyway:
Code: 
openssl-1.0.2_12 is vulnerable:
OpenSSL -- vulnerability in DSA signing
CVE: CVE-2016-2178
WWW: https://vuxml.FreeBSD.org/freebsd/6f0529e2-2e82-11e6-b2ec-b499baebfeaf.html
Regarding this I have 2 questions:

1. (out of curiosity): Why does minor version update of nginx (1.8 .1 to 1.10.1.) adds a decency to the OpenSSL port anyway when the current version obviously did not need it?

2. (to solve my current problem): How can I force nginx 1.10.1 to use openssl from the base system instead of trying to install the openssl port during update?

Thanks in advance.
Regards,
Gunnar
 
The port will always use the OpenSSL port for FreeBSD below 11.0:
Code: 
.if defined(NGINX_OPENSSL)
 	USE_OPENSSL=    yes
 	.if ${OSVERSION} < 1100000
 	   WITH_OPENSSL_PORT=yes
	.endif
.endif
 
That is strange as I have version nginx-1.8.1,2 installed from ports a couple of months ago (FreeBSD was v10.1 at that point, I recently upgraded to 10.3-RELEASE) and it's running properly and neither demanded installation of OpenSSL port back then nor is the OpenSSL port installed at all at the moment. So this version check for the OpenSSL port might have been added recently? Which also bears the question why it has been added at all if v1.8.1 is working properly along with the base system OpenSSL?
So it doesn't really make sense to me right now.
 
It's possible the new version requires certain features or options that aren't available with the OpenSSL from the base.
 
I'm also using security/openssl and running in to the "vulnerability in DSA signing" error when trying to update it.

I sent an email to the port maintainer yesterday, but I believe it just fell on deaf ears. The port has been updated to fix that vulnerability, but I believe he needs to bump the port revision - otherwise we'll still get the error message and not be able to upgrade it.

If anyone else wants to try and email him, his address is at the top of the Makefile here :

http://svnweb.freebsd.org/ports/head/security/openssl/Makefile?revision=416823&view=markup
 
Have you run pkg audit -F after updating your ports?

Btw, as of today security/openssl is at version 1.0.2_13 and at least on my system I don't get any vulnerability warnings with pkg-audit(8) so definitely check if your vulnerabilty database at /var/db/pkg/vuln.xml is up to date.
 
I'm still not able to update after the audit.
Code: 
$pkg audit -F
vulnxml file up-to-date
openssl-1.0.2_12 is vulnerable:
OpenSSL -- vulnerability in DSA signing
CVE: CVE-2016-2178
WWW: https://vuxml.FreeBSD.org/freebsd/6f0529e2-2e82-11e6-b2ec-b499baebfeaf.html

1 problem(s) in the installed packages found.
 
Are you using the official packages or building ports yourself? I checked the ports tree and both head and 2016Q2 branches have 1.0.2_13.
 
The port was updated on 12th of june, you might have forgotten to update your ports tree after that.

FYI, OpenSSL is now supported by the DEFAULT_VERSIONS mechanism:

https://svnweb.freebsd.org/ports?view=revision&revision=416965


The /usr/ports/UPDATING entry:

Code: 
20160616
  AFFECTS: users of security/openssl*, security/libressl*
  AUTHOR: mat@FreeBSD.org

  Previously, to tell the ports tree, you needed to set:

  WITH_OPENSSL_PORT=yes

  And if you wanted a port that was not security/openssl, you needed to add,
  for example:

  OPENSSL_PORT=    security/libressl

  Now, all you need to do is:

  DEFAULT_VERSIONS+=  ssl=libressl

  Valid values are base, openssl, openssl-devel, libressl, and libressl-devel.
 
kpa said:
The port was updated on 12th of june, you might have forgotten to update your ports tree after that.
Click to expand...

No, that's not it - I have portsnap cron update in cron that fires at 12:01am daily + I manually run portsnap fetch update myself before updating ports.

Also, thanks for the head up! I also received the depreciated warnings when updating this morning - and I fixed my /etc/make.conf file and included DEFAULT_VERSIONS+=ssl=openssl.
 
You must log in or register to reply here.
Back
Top