tech-pkg: HEADS UP: openssl-0.9.6e package update

Subject: HEADS UP: openssl-0.9.6e package update
To: None <tech-pkg@netbsd.org>
From: Frederick Bruckman <fredb@immanent.net>
List: tech-pkg
Date: 08/04/2002 10:55:46
[Please direct follow-ups to tech-pkg.]

I've just updated our openssl package to 0.9.6e, and there are a few
things our users should know. In case you've been living in a cave
this past week, this update fixes multiple vulnerabilities, including
potentially exploitable buffer overrun errors. See

 ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc

The package also includes the 2002-08-04 fix to the fix for ASN1 checks.

It also involves on ABI change on all platforms, so all binaries linked
with the the openssl package shared libraries should be rebuilt. The good
news is, most packages built against NetBSD-1.5* and NetBSD-1.6* (that
is, from NetBSD-1.5 release candidates to current) will be linked with
the *in-tree* openssl libraries. You may update your NetBSD-1.5.3
installation from the release branch *without* needing to recompile any
of those packages. The URI above gives details for those who are familiar
with upgrading the base system from source; those who are not, see

 http://www.netbsd.org/Documentation/current/

***  ***IMPORTANT***  *****  ***IMPORTANT***  *****  ***IMPORTANT***  ***
Failure to update your base system before updating packages will force the
package system to automatically add the openssl package as a dependendency
for many packages for which this would not otherwise be the case!
Therefore, please update your base system openssl libraries first!
***  ***************  *****  ***************  *****  ***************  ***

Because of the fact that most of the packages on the installed user base
which make use of openssl shared libraries are not using the package, but
rather the base system, it's not desirable or approriate to mark all such
packages obsolete (as was done with libpng). This is not a problem for
those maintaining installed packages, as the package system will normally
force you to ugrade all dependents of a package to upgrade said package.
Those maintaining a collection of binary packages should however, remove
these packages manually. [I've already done this on ftp.netbsd.org.] Note,
there are no security consequences of keeping the old dependents around,
as long as the old openssl package is removed. On ELF platforms, binaries
in such packages won't even run because of the "soname" mismatch.

To help with the above, I've compiled lists of packages which may be
affected.  Here is a list of all packages which currently require a
version of openssl greater than that found in the netbsd-1-5 release
branch, and so are likely to require openssl on netbsd-1-5:


cervisia<=1.4.1nb1	kdemultimedia<=1.2.2nb1	kstars<=1.9
kdbg<=1.2.5		kdenetwork<=1.2.2nb1	ktail<=1.5.1nb1
kdeaddons<=1.2.2	kdepim<=1.2.2nb1	kyahoo<=1.7nb1
kdeadmin<=1.2.2nb1	kdesdk<=1.2.2nb1	openssh<=1.4.0.1
kdeartwork<=1.2.2	kdetoys<=1.2.2nb1	p5-Net-SSLeay<=1.17
kdebase<=1.2.2nb1	kdeutils<=1.2.2nb1	qt2-designer-kde<=1.3.1nb2
kdebindings<=1.2.1nb1	kdevelop-base<=1.1.2	quanta-docs<=1.0nb1
kdeedu<=1.0.2		kmysqladmin<=1.5.1nb1	quanta<=1.9.9.2nb1
kdegames<=1.2.2nb1	knights<=1.4.6nb1	ruby-openssl<=1.1.1
kdegraphics<=1.2.2nb1	koffice<=1.1.1nb1	uml<=1.0.3nb1
kdelibs<=1.2.2nb1	koncd<=1.7.1nb1


and here is a list of all packages which currently use openssl in any form,
excluding the ones already listed above:


ap-ssl<=1.8.10nb1	ja-samba<=1.2.4.1.0		postgresql-pltcl<=1.2.1
bind<=1.2.1		lftp<=1.5.2			postgresql-server<=1.2.1
bitchx<=1.0.3.18	lhs<=1.1			py21-amkCrypto<=1.1.3
cadaver<=1.19.1		libwww<=1.3.2			py21-postgresql<=1.2
courier-authpgsql<=1.37.1	links-gui<=1.1.0.2	qpopper<=1.0.4nb1
courier-imap<=1.4.2nb1	links<=1.1.0.2			racoon<=10020507a
cue<=10010917nb1	lynx<=1.8.5.0.7			samba<=1.2.5
cups<=1.1.14nb1		mutt<=1.4			sendmail<=1.11.6nb1
curl<=1.9.7		neon<=1.21.3			sitecopy<=1.10.15
cyrus-imapd<=1.0.16nb1	nessus-libraries<=1.2.0		snort-pgsql<=1.8.7
cyrus-sasl<=1.5.27nb1	net-snmp<=1.0.0.2		speakfreely<=1.2
docsis<=1.7.5		netsaint-plugins<=1.2.9.4nb2	sslwrap<=106
echoping<=1.1.0		ntop2<=1.1			stunnel<=1.22
elinks<=1.3.0		openldap<=1.0.23		sylpheed-claws<=1.8.0
ethereal<=1.9.5		p5-Crypt-SSLeay<=1.35		sylpheed<=1.8.0
evolution<=1.0.8	p5-DBD-postgresql<=1.13nb1	tcl-postgresql<=1.2.1
exim<=1.05		p5-postgresql<=1.9.0		tcpdump<=1.7.1
fetchmail<=1.9.13	pchar<=1.4			tk-postgresql<=1.2.1
gkrellm-snmp<=1.18nb2	php-imap<=1.1.2			ucd-snmp<=1.2.4
gtksql<=1.3		php-pgsql<=1.0.18		vtun<=1.5
htmldoc-x11<=1.8.19	php-pgsql<=1.1.2		w3m-img<=1.3
htmldoc<=1.8.19		pine<=1.44			w3m<=1.3nb2
http_load<=10020104	postfix<=1.1.11nb1		winbind<=1.2.5
imap-uw<=1001.1		postgresql-client<=1.2.1	xchat-gnome<=1.8.9
imapfilter<=1.7.2	postgresql-lib<=1.2.1		xchat<=1.8.9nb1
isakmpd<=10020403	postgresql-plperl<=1.2.1	zebedee<=1.3.1


If your collection is not large, it may be more convenient to run a command such
as the following over all packages:


    for p in $(find -P /usr/pkgsrc/packages/* -type f -name \*.tgz)
    do
	    tar --fast-read --to-stdout -xzf $p +CONTENTS \
	    | grep -q '^@pkgdep openssl' \
	    && echo $p || true
    done \
    | sed 's/All/*/' \
    > obsolete-packages

review the output, then

    xargs rm < obsolete-packages


making adjustments for the location and layout of your collection, as appropriate.


Frederick