Hi, Recently there was https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. What I'm unsure about is the openssl version. Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd 22 Sep 2020 Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd 25 Mar 2021 shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? thanks, -- J. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/5ea4988d/attachment.sig>
Hi, Did you mean 12.1-p5 or 12.2-p5 ? I'm asking because you refer to both 12.1-p5 and 12.2-p5 (typo?). If you meant 12.2-p5: Perhaps the FreeBSD security team did not bump the version, but "only" backported the patches to version 1.1.1h ? Regards, Ruben On 3/30/21 3:35 PM, tech-lists wrote:> Hi, > > Recently there was > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. > > What I'm unsure about is the openssl version. > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd > 25 Mar 2021 > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? > > thanks,
On 30/03/21 15:35, tech-lists wrote:> Hi, > > Recently there was > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. > > What I'm unsure about is the openssl version. > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd > 25 Mar 2021 > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? >No, as you can see in the commit in the official git [1] while for current and stable the new upstream version of openssl was imported for the release the fix was applied without importing the new release and without changing the reported version of the library. So with 12.2p5 you do get the fix but don't get a new version of the library. [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b -- Guido Falsi <mad at madpilot.net>
On 31/03/2021 12:35 am, tech-lists wrote:> Hi, > > Recently there was > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. > > What I'm unsure about is the openssl version. > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd > 25 Mar 2021 > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? > > thanks,I think you'll find your answer by comparing the changes between release 12.2-p5 and stable 12.2 below: https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b with https://cgit.freebsd.org/src/commit/?h=stable/12&id=18d07050e60ecc738556f0de56e34817303371a4 stable 12.2 has the full upgrade to openssl 1.1.1k, while release 12.2-p5 addresses the specific vulnerability(s). Regards, Dewayne PS cgit I'm told is the source of truth :)