[MacPorts] #46596: openssl @1.0.1k breaks certificate signature verification

MacPorts noreply at macports.org
Wed Jan 21 14:56:00 PST 2015 

#46596: openssl @1.0.1k breaks certificate signature verification
----------------------+-------------------
  Reporter:  uri@…    |      Owner:  mww@…
      Type:  defect   |     Status:  new
  Priority:  High     |  Milestone:
 Component:  ports    |    Version:  2.3.3
Resolution:           |   Keywords:
      Port:  openssl  |
----------------------+-------------------

Comment (by cal@…):

 Replying to [comment:16 uri@…]:
 > I've created index with "portindex", like the Web page told. However
 when I try to do "sudo port selfupdate", I'm getting this:
 > {{{
 > $ sudo port selfupdate
 > Password:
 > --->  Updating MacPorts base sources using rsync
 > MacPorts base version 2.3.3 installed,
 > MacPorts base version 2.3.3 downloaded.
 > --->  Updating the ports tree
 > Error: updating PortIndex for file://Users/ur20980/ports failed
 > --->  MacPorts base is already the latest version
 >
 > The ports tree has been updated. To upgrade your installed ports, you
 should run
 >   port upgrade outdated
 > }}}

 Edit your sources.conf and add `[nosync]` to the line adding your local
 repository. If it is also marked as `[default]` separate the options using
 a comma: `[default,nosync]`.


 > Perhaps you could point me at a person that I should ask about this? Is
 it mww at macports.org?

 Yes. He should already get an email for each comment in this ticket, but
 he hasn't been very active recently, which is why I've taken care of all
 pressing issues with openssl in the last few months. Nevertheless, go
 ahead and email him, or open a new ticket with a patch and assign it to
 him/put him on cc.


 > But they surely do take their time, especially considering the
 obviousness of the issue (there was also a bug in ASN.1 type comparison
 function - a one-liner that I fixed along the way :).

 Yeah, I know. Nonetheless, I'd like to avoid patching security-relevant
 stuff, even if the issue is obvious. We're trying to avoid replicating
 some of the disasters Debian created when patching OpenSSL ;-)

-- 
Ticket URL: <https://trac.macports.org/ticket/46596#comment:18>
MacPorts <https://www.macports.org/>
Ports system for OS X

More information about the macports-tickets mailing list