# As I can fix the vulnerability of linux-c6-openssl without breaking the ports?



## teo (Mar 26, 2015)

Hi Community


I it updated the ports with `portsnap fetch update` and  `portmaster -aD`, and it keeps on giving the only vulnerability.  I did of updating also the packages with `pkg update` and `pkg upgrade`.


```
# pkg audit -F
Fetching vuln.xml.bz2: 100%  473 KiB 121.1kB/s  00:04
linux-c6-openssl-1.0.1e_3 is vulnerable:
OpenSSL -- multiple vulnerabilities
CVE: CVE-2015-0288
CVE: CVE-2015-0209
CVE: CVE-2015-0293
CVE: CVE-2015-0292
CVE: CVE-2015-0289
CVE: CVE-2015-0287
CVE: CVE-2015-0286
CVE: CVE-2015-0204
WWW: http://vuxml.FreeBSD.org/freebsd/9d15355b-ce7c-11e4-9db0-d050992ecde8.html

1 problem(s) in the installed packages found.
#
```


----------



## talsamon (Mar 26, 2015)

`portmaster  -aD -m DISABLE_VULNERABILITIES=yes`

or
`cd /usr/ports/security/[SIZE=4]linux-c6-openssl[/SIZE]`  and
`make install clean DISABLE_VULNERABILITIES=yes`


----------



## teo (Mar 26, 2015)

talsamon said:


> `portmaster  -aD -m DISABLE_VULNERABILITIES=yes`
> 
> or
> `cd /usr/ports/security/[SIZE=4]linux-c6-openssl[/SIZE]`  and
> `make install clean DISABLE_VULNERABILITIES=yes`




Does not it affect me in anything like you advises me?  I have the port installed emulators/linux-c6 for watching videos on Youtube.


----------



## talsamon (Mar 26, 2015)

Sorry, was a missunderstood. Actual version is security/linux-c6-openssl 1.0.1e_4.
`pkg update`/`pkg upgrade` has older packages as in the port. You should have the newest version with `portmaster`.


----------



## teo (Mar 26, 2015)

talsamon said:


> Sorry, was a missunderstood. Actual version is security/linux-c6-openssl 1.0.1e_4.


The version of the vulnerable  port is security/linux-c6-openssl 1.0.1e_3. As I can fix the vulnerability without breaking the ports?  Or as I change to the new port without breaking the updated ports?


----------



## talsamon (Mar 26, 2015)

Which version of security/openssl you have installed? If it's 1.0.1e_3 the vulnerability message is true. and have to update with `portmaster`. If you updated first with `portmaster` and after this with `pkg update`, `pkg update` reverted to the older version.


----------



## junovitch@ (Mar 26, 2015)

For packages, this week's set was built with SVN r381523.  You can see this by browsing to the FreeBSD Poudriere servers here:
http://beefy2.isc.freebsd.org/build.html?mastername=101amd64-default&build=2015-03-18_03h47m09s

The fixed version, 1.0.1e_4, was introduced as of r382089.
https://svnweb.freebsd.org/ports?view=revision&revision=382089

That means the latest version will be available when packages get built next week.


----------



## teo (Mar 26, 2015)

talsamon said:


> Which version of security/openssl you have installed?



The security version  is vuxml-1.1_2.  And I have already upgraded with portmaster as I said in the first comment.

```
# pkg info vuxml
vuxml-1.1_2
Name  : vuxml
Version  : 1.1_2
Installed on  : Mon Jan  5 20:58:36 CET 2015
Origin  : security/vuxml
Architecture  : freebsd:10:x86:32
Prefix  : /usr/local
Categories  : textproc security
Licenses  : BSD2CLAUSE
Maintainer  : ports-secteam@FreeBSD.org
WWW  : UNKNOWN
Comment  : Vulnerability and eXposure Markup Language DTD
Annotations  :
Flat size  : 39.5KiB
Description  :
VuXML (the Vulnerability and eXposure Markup Language) is an XML
application for documenting security bugs and corrections within
a software package collection such as the FreeBSD Ports Collection.
This port installs the DTDs required for validating VuXML documents.
```


----------



## talsamon (Mar 26, 2015)

> I it updated the ports with portsnap fetch update and portmaster -aD, and it keeps on giving the only vulnerability. I did of updating also the packages with pkg update and pkg upgrade.



I did not understand this line. Did you both? (update with `portmaster` and with `pkg update`).


----------



## teo (Mar 26, 2015)

talsamon said:


> I did not understand this line. Did you both?



Sorry, I was confused me, there is no version of OpenSSL installed. The vulnerability is security/linux-c6-openssl 1.0.1e_3.


----------



## talsamon (Mar 26, 2015)

Yes, and it's all said, whats to say.


----------



## teo (Mar 26, 2015)

talsamon said:


> I did not understand this line. Did you both? (update with `portmaster` and with `pkg update`).



I already updated with `portmaster` and `pkg`, as I said at the beginning and it keeps on giving the only vulnerability.


----------



## talsamon (Mar 26, 2015)

In which order? As I write: if you updated with `pkg update` after `portmaster`, you will have the older version again.


----------



## wblock@ (Mar 26, 2015)

talsamon said:


> portmaster -aD -m DISABLE_VULNERABILITIES=yes
> 
> or
> cd /usr/ports/security/linux-c6-openssl and
> make install clean DISABLE_VULNERABILITIES=yes



Please do not advise this without pointing out that it overrides the safety that is meant to keep your system secure.  It should never be used routinely.


----------



## talsamon (Mar 26, 2015)

wblock@: As I updated security/linux-c6-openssl `portmaster` stopps with the vulnerability-message. I updated in the port with `DISABLE_VULNERABILTY=yes`. It doesn't work in the normal way, why ever.


----------



## teo (Mar 26, 2015)

talsamon said:


> In which order?



First I did with  `portsnap fetch update`, then I did with `portmaster -aD`, and I finally did for packages with `pkg update` and
`pkg upgrade`.


----------



## wblock@ (Mar 26, 2015)

talsamon said:


> wblock@: As I updated linux-c6-openssl  portmaster stopps with the vulnerability-message. I updated in the port with  DISABLE_VULNERABILTY=yes. It doesn't work in the normal way, why ever.



It does not work in the normal way because the system is trying to protect you from installing software with known vulnerabilities.  Any suggestion of using DISABLE_VULNERABILITIES should come with a warning: this is dangerous, do not use it without understanding the security implications.


----------



## teo (Mar 26, 2015)

wblock@ said:


> Any suggestion of using DISABLE_VULNERABILITIES should come with a warning: this is dangerous, do not use it without understanding the security implications.



What must I do? Thanks for the answers.


----------



## talsamon (Mar 26, 2015)

> then I did with portmaster - aD, and I finally did for packets with pkg update and
> pkg upgrade.


You should not do both and it's not necessary. Either update with `portmaster` or with `pkg update`.
If you want fix now vulnerability, you have update with `portmaster`, to get the fixed version.
If this does not work, (try the "normal" way without `DISABLE_VULNERABILITY`) `cd /usr/ports/security/linux-c6-openssl` and `make install clean`.


----------



## talsamon (Mar 27, 2015)

If you update with `portmaster` or ports *and* `pkg update`, you will get an inconsistent and puzzled  system.


----------



## teo (Mar 27, 2015)

talsamon said:


> If you want fix now vulnerability, you have update with `portmaster`, to get the fixed version.
> .


Update ports:

```
# portmaster -aD
===>>> Starting check of installed ports for available updates

===>>> All ports are up to date
#
```
Remember that I'm using XFCE desktop,  is my first FreeBSD well configured in virtualbox,  and I do not want to spoil it.  I love FreeBSD in graphical desktop.  

Update packages and repository:

```
# pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (115 candidates): 100%
Processing candidates (115 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
#
```
Still gives the same problem.


----------



## talsamon (Mar 27, 2015)

And `pkg info linux-c6-openssl` says linux-c6-openssl-1.0.1e_3 ?


----------



## teo (Mar 27, 2015)

talsamon said:


> And `pkg info linux-c6-openssl` says linux-c6-openssl-1.0.1e_3 ?


This is what informs the system of linux-c6-openssl-1.0.1e_3

```
# pkg info linux-c6-openssl-1.0.1e_3
linux-c6-openssl-1.0.1e_3
Name  : linux-c6-openssl
Version  : 1.0.1e_3
Installed on  : Wed Feb 18 21:30:35 CET 2015
Origin  : security/linux-c6-openssl
Architecture  : freebsd:10:x86:32
Prefix  : /compat/linux
Categories  : security linux
Licenses  :
Maintainer  : emulation@FreeBSD.org
WWW  : http://www.openssl.org/
Comment  : OpenSSL toolkit (Linux CentOS 6.6)
Annotations  :
   repo_type  : binary
   repository  : FreeBSD
Flat size  : 3.87MiB
Description  :
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
(TLS v1) protocols with full-strength cryptography world-wide. The
project is managed by a worldwide community of volunteers that use
the Internet to communicate, plan, and develop the OpenSSL tookit
and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric
A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
an Apache-style licence, which basically means that you are free
to get and use it for commercial and non-commercial purposes subject
to some simple license conditions.

WWW: http://www.openssl.org/
WWW: http://sctp.fh-muenster.de/dtls-patches.html
```


----------



## talsamon (Mar 27, 2015)

What tells `uname -a`?
Is something in /etc/make.conf or /etc/libmap.conf?
Try to fetch a new portstree with `rm /var/db/portsnap/tag` and `portsnap fetch extract` and after that try again with `portmaster`.


----------



## teo (Mar 27, 2015)

talsamon said:


> What tells uname -a?
> Is something in /etc/make.conf or /etc/libmap.conf?
> Try to fetch a new portstree with `rm /var/db/portsnap/tag` `portsnap fetch extract` and after that try again with `portmaster`.



The ports do not break when deleting files with  `rm /var/db/portsnap/tag; portsnap fetch extract`?

In `uname -a`

```
FreeBSD gateway.fbdtem.com 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 22:51:51 UTC 2014  root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  i386
```


In  /etc/make.conf

```
# ee /etc/make.conf

OVERRIDE_LINUX_BASE_PORT=c6
OVERRIDE_LINUX_NONBASE_PORTS=c6
```

In  /etc/libmap.conf

```
# ee /etc/libmap.conf

# $FreeBSD: releng/10.1/etc/libmap.conf 253853 2013-08-01 05:50:42Z jlh $
includedir /usr/local/etc/libmap.d
```


----------



## talsamon (Mar 27, 2015)

> The ports do not break when deleting files with rm /var/db/portsnap/tag portsnap fetch extract



Sorry, I forget the "and" - they are two commands `rm /var/db/portsnap/tag`  and `portsnap fetch extract`.

No, it don't break the ports.

(By the way, what says `freebsd-version`, I have 10.1-RELEASE-p8 - but I don't know if this is related to your problem).


----------



## teo (Mar 27, 2015)

talsamon said:


> Sorry, I forget the "and" - they are two commands `rm /var/db/portsnap/tag`  and `portsnap fetch extract`.
> 
> No, it don't break the ports.
> 
> (By the way, what says `freebsd-version`, I have 10.1-RELEASE-p8 - but I don't know if this is related to your problem).



Do not believe that the system will fill with problems with  extracting the ports again?  The FreeBSD Handbook  says a single ves. And to update you have to do `portsnap update` or `portsnap fetch update`.  Thanks for the answers, and are again extracted ports.


----------



## talsamon (Mar 27, 2015)

> By the way, what says freebsd-version, I have 10.1-RELEASE-p8 - but I don't know if this is related to your problem


I have forgot: after `freebsd-update fetch` you have to do `freebsd-update install`.


----------



## wblock@ (Mar 27, 2015)

teo said:


> What must I do? Thanks for the answers.



Install the updated port (linux-c6-openssl-1.0.1e_4), or wait for the binary packages to be updated.


----------



## teo (Mar 27, 2015)

talsamon said:


> Try to fetch a new portstree with `rm /var/db/portsnap/tag` and `portsnap fetch extract` and after that try again with `portmaster`



And I did of fix the vulnerability of security/linux-c6-openssl of this way, what more must I do?  How must I check if there are no broken ports? Entering  XFCE desktop this message went out,   any solution?

Delete the file:
`# rm /var/db/portsnap/tag`
Extraction of ports:
`# portsnap extract`
Update the ports:
`# portsnap fetch update`
Update the ports with ports-mgmt/portmaster:
`# portmaster -aD`
Update of packages and repositories:
`# pkg upgrade`
Safety check of the system:
`# pkg audit -F`

```
pkg: vulnxml file up-to-date
0 problem(s) in the installed packages found.
#
```
Error message at the entrance to XFCE desktop on VirtualBox:

```
VBoxClient: Initialising service: VERR_INTERNAL_ERROR
```


----------



## talsamon (Mar 27, 2015)

`pkg help check:`


> pkg check -d or pkg check --dependencies is used to check for and install missing dependencies.



If you install sysutils/bsdadminscripts you can check with `pkg_Libchk` the shared libraries (the libjawt.so warning of libreoffice is a false positive).


----------



## teo (Mar 28, 2015)

talsamon said:


> `pkg help check:`
> 
> 
> If you install sysutils/bsdadminscripts you can check with `pkg_Libchk` the shared libraries (the libjawt.so warning of libreoffice is a false positive).




It is not unstable the system in graphical desktop?


----------



## talsamon (Mar 28, 2015)

Only two practical check-commands you will need.


----------



## teo (Mar 28, 2015)

talsamon said:


> Only two practical check-commands you will need.



This will take much time, what does he  say  about  error?


----------



## talsamon (Mar 28, 2015)

For each result of `pkg_libchk` you have to reinstall or recompile the specific package.


----------



## teo (Mar 28, 2015)

talsamon said:


> For each result of `pkg_libchk` you have to reinstall or recompile the specific package.



Good comunity
It seems that are of minor importance,  how do I proceed to resolve the anomalies of the system?  It does not exist by means of ports, and the command `pkg check --dependencies`  average keeps giving the same results.

`# pkg_libchk`

```
opera-12.16_5: /usr/local/lib/opera/liboperakde4.so misses libkdeui.so.7
opera-12.16_5: /usr/local/lib/opera/liboperakde4.so misses libkio.so.7
opera-12.16_5: /usr/local/lib/opera/liboperakde4.so misses libkdecore.so.7
You have new mail in  /var/mail/root
#
```
`# pkg check --dependencies`

```
Checking all packages: 100%
#
```
On the other hand, you have clear idea of how to update the system fonts without having installed the port devel/subversion?  The FreeBSD Handbook, recommended to install and check the sources before installing software of third.


----------



## talsamon (Mar 29, 2015)

The Opera message is a false positive. The option KDE in www/opera is per default off,  and so there is no need for this libraries.


----------



## teo (Mar 29, 2015)

talsamon said:


> The opera message is a false positiv. The option KDE in www/opera is per default off,  and so there is no need for this libraries.



Thank you very much for the reply. Something more iI asked him about the sources of the system.


----------



## talsamon (Mar 29, 2015)

I only update svn if I compile a kernel or compile directly something from sources. The fonts should be updated with the "normal" update.


----------

