some packages link against base's openssl even if PREFER.openssl=pkgsrc is specified

To: pkgsrc-users%netbsd.org@localhost
Subject: some packages link against base's openssl even if PREFER.openssl=pkgsrc is specified
From: Matthias Kretschmer <kretschm%cs.uni-bonn.de@localhost>
Date: Thu, 12 Jan 2012 12:59:03 +0100

Hi,

I want to raise the attention to the problem that even if
PREFER.openssl=pkgsrc is specified some packages do link to the bases's
openssl libraries which might cause security risks.  Further in the case
of net/bind98 and print/cups both the base's and pkgsrc's versions of
the library are linked according to ldd(1).  I have no clue what the
practical result (which function of which version is used in the end)
this has, but I think this can be regarded as a critical problem, due to
the security risk of using the undesired version of the library that
might have security flaws.

The corresponding problem reports with more details of what happens:

  pkg/45823 (net/bind98)
  pkg/45824 (print/cups)
  pkg/45825 (net/vpnc)

The problem reports include possible solutions and corresponding
patches.

As this does not behave as expected and due to the possible security
risk, I would be happy if that gets fixed in pkgsrc HEAD and
pkgsrc-2011Q4 branches.

--
Regards
Matthias Kretschmer

Prev by Date: RE: Up-to-date browser?
Next by Date: RE: Up-to-date browser?
Previous by Thread: Your MailBox Expires 24Hours
Next by Thread: x264-devel build error
Indexes:

Home | Main Index | Thread Index | Old Index