Attachment #427374 for bug #576128

View | Details | Raw Unified | Return to bug 576128 | Differences between
Collapse All | Expand All




LICENSE="openssl"
# subslot set to 1.0.2g version as this is the first release without SSLv2
# support and thus breaks nearly every openssl consumer (see bug #575548)
SLOT="0/1.0.2g"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
RESTRICT="!bindist? ( bindist )"

	usr/include/openssl/opensslconf.h
)

pkg_pretend() {
	if has_version "<dev-libs/openssl-1.0.2g-r3" &&
		( has_version "<=net-misc/wget-1.16.3-r1[ssl,-gnutls,-static]" ||
			has_version ">=net-misc/wget-1.16.3-r2[ssl,-gnutls,-libressl,-static]" )
	then
		eerror "Due to SSLv2 being officially disabled by default in"
		eerror "openssl-1.0.2g for security reasons, a non-statically-linked"
		eerror "Wget will crash from missing symbols until it is recompiled,"
		eerror "preventing packages from being downloaded by Portage, including"
		eerror "Wget itself if you don't have its tarball already."
		eerror
		eerror "To solve this, you must first temporarily compile net-misc/wget"
		eerror "with USE=\"static\". After you do this, you will be able to"
		eerror "emerge >=openssl-1.0.2g-r3, and then recompile Wget"
		eerror "non-statically if you wish. You MUST at least recompile Wget"
		eerror "once anyway, to include the new OpenSSL libraries with their"
		eerror "security updates."
		eerror
		eerror "You can also compile Wget with USE=\"gnutls\" or"
		eerror "USE=\"libressl\" (starting from wget-1.16.3-r2) instead, in"
		eerror "which case it won't depend on OpenSSL, and there won't be any"
		eerror "issue with it after upgrading OpenSSL, even if non-statically"
		eerror "linked."
		eerror
		eerror "Be also warned that other packages depending on OpenSSL will"
		eerror "crash because of the missing symbols, until they are"
		eerror "recompiled. To recompile them all, run the following command"
		eerror "as soon as possible after installing >=openssl-1.0.2g-r3:"
		eerror
		eerror "revdep-rebuild -i -L \"libssl.so.*\""
		eerror

		die "You must first temporarily compile net-misc/wget statically."
	fi
}

src_prepare() {
	# keep this in sync with app-misc/c_rehash
	SSL_CNF_DIR="/etc/ssl"

		enable-mdc2 \
		enable-rc5 \
		enable-tlsext \
		enable-ssl2 \
		$(use_ssl asm) \
		$(use_ssl gmp gmp -lgmp) \
		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \


	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8

	ewarn "If you have upgraded from <openssl-1.0.2g-r3, you MUST recompile NOW"
	ewarn "all packages depending on OpenSSL. Many of them will crash"
	ewarn "otherwise, due to missing SSLv2 symbols (SSLv2 being now disabled"
	ewarn "for security reasons). See bugs #575548 and #576128."
	ewarn
	ewarn "To compile them all, run the following command AS SOON AS POSSIBLE:"
	ewarn
	ewarn "revdep-rebuild -i -L \"libssl.so.*\""
}

Return to bug 576128

Lines 14-20 Link Here

(-)openssl-1.0.2g-r2.ebuild (-2 / +46 lines)
14	LICENSE="openssl"	14	LICENSE="openssl"
15	# subslot set to 1.0.2g version as this is the first release without SSLv2	15	# subslot set to 1.0.2g version as this is the first release without SSLv2
16	# support and thus breaks nearly every openssl consumer (see bug #575548)	16	# support and thus breaks nearly every openssl consumer (see bug #575548)
17	SLOT="0"	17	SLOT="0/1.0.2g"
18	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"	18	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
19	IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"	19	IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib"
20	RESTRICT="!bindist? ( bindist )"	20	RESTRICT="!bindist? ( bindist )"
Lines 47-52 Link Here
47	usr/include/openssl/opensslconf.h	47	usr/include/openssl/opensslconf.h
48	)	48	)
49		49
		50	pkg_pretend() {
		51	if has_version "<dev-libs/openssl-1.0.2g-r3" &&
		52	( has_version "<=net-misc/wget-1.16.3-r1[ssl,-gnutls,-static]" \|\|
		53	has_version ">=net-misc/wget-1.16.3-r2[ssl,-gnutls,-libressl,-static]" )
		54	then
		55	eerror "Due to SSLv2 being officially disabled by default in"
		56	eerror "openssl-1.0.2g for security reasons, a non-statically-linked"
		57	eerror "Wget will crash from missing symbols until it is recompiled,"
		58	eerror "preventing packages from being downloaded by Portage, including"
		59	eerror "Wget itself if you don't have its tarball already."
		60	eerror
		61	eerror "To solve this, you must first temporarily compile net-misc/wget"
		62	eerror "with USE=\"static\". After you do this, you will be able to"
		63	eerror "emerge >=openssl-1.0.2g-r3, and then recompile Wget"
		64	eerror "non-statically if you wish. You MUST at least recompile Wget"
		65	eerror "once anyway, to include the new OpenSSL libraries with their"
		66	eerror "security updates."
		67	eerror
		68	eerror "You can also compile Wget with USE=\"gnutls\" or"
		69	eerror "USE=\"libressl\" (starting from wget-1.16.3-r2) instead, in"
		70	eerror "which case it won't depend on OpenSSL, and there won't be any"
		71	eerror "issue with it after upgrading OpenSSL, even if non-statically"
		72	eerror "linked."
		73	eerror
		74	eerror "Be also warned that other packages depending on OpenSSL will"
		75	eerror "crash because of the missing symbols, until they are"
		76	eerror "recompiled. To recompile them all, run the following command"
		77	eerror "as soon as possible after installing >=openssl-1.0.2g-r3:"
		78	eerror
		79	eerror "revdep-rebuild -i -L \"libssl.so.*\""
		80	eerror
		81
		82	die "You must first temporarily compile net-misc/wget statically."
		83	fi
		84	}
		85
50	src_prepare() {	86	src_prepare() {
51	# keep this in sync with app-misc/c_rehash	87	# keep this in sync with app-misc/c_rehash
52	SSL_CNF_DIR="/etc/ssl"	88	SSL_CNF_DIR="/etc/ssl"
Lines 156-162 Link Here
156	enable-mdc2 \	192	enable-mdc2 \
157	enable-rc5 \	193	enable-rc5 \
158	enable-tlsext \	194	enable-tlsext \
159	enable-ssl2 \
160	$(use_ssl asm) \	195	$(use_ssl asm) \
161	$(use_ssl gmp gmp -lgmp) \	196	$(use_ssl gmp gmp -lgmp) \
162	$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \	197	$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
Lines 265-268 Link Here
265		300
266	has_version ${CATEGORY}/${PN}:0.9.8 && return 0	301	has_version ${CATEGORY}/${PN}:0.9.8 && return 0
267	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8	302	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8
		303
		304	ewarn "If you have upgraded from <openssl-1.0.2g-r3, you MUST recompile NOW"
		305	ewarn "all packages depending on OpenSSL. Many of them will crash"
		306	ewarn "otherwise, due to missing SSLv2 symbols (SSLv2 being now disabled"
		307	ewarn "for security reasons). See bugs #575548 and #576128."
		308	ewarn
		309	ewarn "To compile them all, run the following command AS SOON AS POSSIBLE:"
		310	ewarn
		311	ewarn "revdep-rebuild -i -L \"libssl.so.*\""
268	}	312	}