FreeBSD-SA-15:01.openssl

[benjyamon]

I'm curious how long it might take to get the freebsd-update to patch the latest round of openssl bugs / vulnerabilities..  .

[jschellevis]

I'm curious how long it might take to get the freebsd-update to patch the latest round of openssl bugs / vulnerabilities..  .

The latest version (1.0.1l) is already in our ports collection. See openssl's Security Advisory https://www.openssl.org/news/secadv_20150108.txt.

Discussions are currently ongoing to migrate from openssl to libressl.Currently we are testing this with the help of others in the community.  Expect a new release 15.1.2 soon with either openssl or libressl.

[franco]

The source code is all there with the necessary patches, so if you feel uneasy about waiting for 15.1.2 you could  build it on your own. This is one of our project's goals so you don't have to wait or trust us to provide the proper binary images. We provide you with all the help and documentation you may need. If that's not the case please let us know.

Right now we are evaluating libressl in the ports system. It has shown that it's almost ready for deployment, but some patches for ports are currently being discussed, reviewed and tested. It is most likely that 15.1.2 will include a newer OpenSSL from ports as opposed to the now vulnerable base version. The switch to libressl will happen in a later stable release once the patches have been accepted by FreeBSD.

We also look into how hard it is to remove OpenSSL from base so we never run into twilight issues with two installed OpenSSL versions where one is always more vulnerable than the other. All of these things take time and proper testing. Expect all of this to be rock stable in 15.7 so we can move on to improve other things.

Right now it's just me working on this in my free time, so I hope that explains why things don't seem to move "as fast as they should".

[franco]

BTW, we do not support upgrades using freebsd-update.