pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

some packages link against base's openssl even if PREFER.openssl=pkgsrc is specified


I want to raise the attention to the problem that even if
PREFER.openssl=pkgsrc is specified some packages do link to the bases's
openssl libraries which might cause security risks.  Further in the case
of net/bind98 and print/cups both the base's and pkgsrc's versions of
the library are linked according to ldd(1).  I have no clue what the
practical result (which function of which version is used in the end)
this has, but I think this can be regarded as a critical problem, due to
the security risk of using the undesired version of the library that
might have security flaws.

The corresponding problem reports with more details of what happens:

  pkg/45823 (net/bind98)
  pkg/45824 (print/cups)
  pkg/45825 (net/vpnc)

The problem reports include possible solutions and corresponding

As this does not behave as expected and due to the possible security
risk, I would be happy if that gets fixed in pkgsrc HEAD and
pkgsrc-2011Q4 branches.

Matthias Kretschmer

Home | Main Index | Thread Index | Old Index