Hej, i notice openssl in pkgsrc is at 1.0.2p, which has some security issues ;-) I also happened to notice that none of my installed packages use pkgsrc openssl anymore. But to fix the nasty security warnings i just changed the Makefile instead of removing pkgsrc openssl: cvs diff -u -p Makefile Index: Makefile =================================================================== RCS file: /cvsroot/pkgsrc/security/openssl/Makefile,v retrieving revision 1.240 diff -u -p -r1.240 Makefile --- Makefile 12 Sep 2018 12:44:17 -0000 1.240 +++ Makefile 15 Jun 2019 09:43:16 -0000 @@ -1,6 +1,6 @@ # $NetBSD: Makefile,v 1.240 2018/09/12 12:44:17 fhajny Exp $ -DISTNAME= openssl-1.0.2p +DISTNAME= openssl-1.0.2s CATEGORIES= security MASTER_SITES= https://www.openssl.org/source/ and ran make NO_CHECKSUM=yes, which builds fine. I updated distinfo. pkgdiff distinfo.1.0.2p distinfo $NetBSD$ --- distinfo.1.0.2p 2019-06-15 09:46:58.324777984 +0000 +++ distinfo @@ -2,6 +2,6 @@ $NetBSD: distinfo,v 1.133 2018/09/12 12: -SHA1 (openssl-1.0.2p.tar.gz) = f34b5322e92415755c7d58bf5d0d5cf37666382c -RMD160 (openssl-1.0.2p.tar.gz) = 0df40a7f180e381bff7d7d9593bdfece4b054951 -SHA512 (openssl-1.0.2p.tar.gz) = 958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16 -Size (openssl-1.0.2p.tar.gz) = 5338192 bytes +SHA1 (openssl-1.0.2s.tar.gz) = cf43d57a21e4baf420b3628677ebf1723ed53bc1 +RMD160 (openssl-1.0.2s.tar.gz) = 6067f88e5f1ac797e189648386adb12ca4aba85d +SHA512 (openssl-1.0.2s.tar.gz) = 9f745452c4f777df694158e95003cde78a2cf8199bc481a563ec36644664c3c1415a774779b9791dd18f2aeb57fa1721cb52b3db12d025955e970071d5b66d2a +Size (openssl-1.0.2s.tar.gz) = 5349149 bytes SHA1 (patch-Configure) = 2d963d781314276a0ee1bc531df6bc50f0f6b32b this is what make test outputs (just the last lines): PASS test_bad_dtls ../util/shlib_wrap.sh ./bad_dtls_test test_fatalerr ../util/shlib_wrap.sh ./fatalerrtest ../apps/server.pem ../apps/server.pem SSL_accept() failed -1, 1 137979223186948:error:140800FF:SSL routines:ssl3_accept:unknown state:s3_srvr.c:869: test_x509_time ../util/shlib_wrap.sh ./x509_time_test PASS gmake[1]: Leaving directory '/usr/pkgsrc/security/openssl/work/openssl-1.0.2s/test' OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a OpenSSL 1.0.2s 28 May 2019 built on: reproducible build, date unspecified platform: NetBSD-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(ptr2) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -O2 -D_FORTIFY_SOURCE=2 -I/usr/include -Wa,--noexecstack -DTERMIOS -DL_ENDIAN -DMD32_REG_T=int -O2 -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/usr/pkg/etc/openssl“ since I obviously do not directly need openssl, i refrained from upgrading to openssl stable 1.1.1c, especially since i cannot make a cross-platform check for all variants of pkgsrc. Nevertheless, this upgrade is what openssl folks recommend since 1.0.2 will receive no support after 2019 has ended. For the remaining 6 months i think it would be nice to have at least 1.0.2s in pkgsrc. Cheers Oskar
Attachment:
smime.p7s
Description: S/MIME cryptographic signature