libevent-2.0.22-r2 was dropped from the tree. This is the only 2.0 ebuild of libevent which supported libressl, all other 2.0 ebuilds only support openssl. However, firefox depends on libevent 2.0 and cannot be build with libevent 2.1. This means that it is no longer possible to have a system with firefox and libressl, firefox now indirectly forces openssl via libevent. Please add back 2.0.22-r2 or some other 2.0 version which supports libressl.
(In reply to Klaus Kusche from comment #0) > However, firefox depends on libevent 2.0 Conditionally, that is, on USE=system-libevent. > and cannot be build with libevent 2.1. > This means that it is no longer possible to have a system with firefox and > libressl, firefox now indirectly forces openssl via libevent. You can emerge firefox with USE=-system-libevent.
(In reply to Jeroen Roovers from comment #1) > You can emerge firefox with USE=-system-libevent. But then you might hit bug #535774 as firefox 45.7.0 still uses 2.0.21. Of course they might have patched the vulns out in their bundled copy.
(In reply to Jeroen Roovers from comment #2) > But then you might hit bug #535774 as firefox 45.7.0 still uses 2.0.21. Of > course they might have patched the vulns out in their bundled copy. firefox-51.0 also still uses libevent-2.0.21. I am not saying that makes Firefox vulnerable, though, as it doesn't seem to use evbuffer_add() at all.
2.0.22-r2 is back in the tree now for anyone who must have firefox with USE=system-libevent and libevent with USE=libressl. I'm just not sure for how long.
Created attachment 462422 [details, diff] libevent-2.1 support patch If someone one esr branch can test we will land and update the eclass to support 2.1
Created attachment 462454 [details, diff] libevent 2.1 support Simply solution for those wanting to test the current change but do not want to use the mozilla overlay. Just apply the patch and test with libevent-2.1.8
(In reply to Jory A. Pratt from comment #5) > Created attachment 462422 [details, diff] [details, diff] > libevent-2.1 support patch > > If someone one esr branch can test we will land and update the eclass to > support 2.1 firefox-45.7 seems fine, should we test thunderbird also?
(In reply to Ian Stakenvicius from comment #7) > (In reply to Jory A. Pratt from comment #5) > > Created attachment 462422 [details, diff] [details, diff] [details, diff] > > libevent-2.1 support patch > > > > If someone one esr branch can test we will land and update the eclass to > > support 2.1 > > firefox-45.7 seems fine, should we test thunderbird also? I added it to patchset, refer to mozilla overlay for more info.
We have fixed latest esr builds of thunderbird and firefox, we also fixed testing for firefox. Thanks for your report.
*** Bug 609550 has been marked as a duplicate of this bug. ***