On 3/30/2021 10:40, tech-lists wrote:> On Tue, Mar 30, 2021 at 09:14:56AM -0500, Doug McIntyre wrote:
>> Like the patch referenced in the SA.
>> https://security.FreeBSD.org/patches/SA-21:07/openssl-12.patch
>>
>> Again, it seems like confusion over what happens in RELEASE, STABLE
>> and CURRENT..
> Hi,
>
> I'm not sure what you mean by this. In
> https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html
>
> it says
>
>> 1) To update your vulnerable system via a binary patch:
>
>> Systems running a RELEASE version of FreeBSD on the i386 or amd64
>> platforms can be updated via the freebsd-update(8) utility:
>
>> # freebsd-update fetch
>> # freebsd-update install
>> # <restart any daemons that use the library>
>
> which I did. If openssl updated, would it not be logical to expect
> openssl version information to indicate it had in fact been updated?
>
> If not, then how am I able to tell that it has updated? On an
> un-upgraded 12.2-p4 system *and* on an upgraded one, openssl version
> reports 1.1.1h-freebsd
It is not updating; as I noted it appears this security patch was NOT
backported and thus 12.2-RELEASE does not "see" it.
You cannot go to "-STABLE" via freebsd-update; to run -STABLE you must
be doing buildworld/buildkernel from source.? I can confirm that
12.2-STABLE *does* have the patch as I checked it recently.
From a system I cross-build for an updated yesterday:
$ uname -v
FreeBSD 12.2-STABLE stable/12-n232909-4fd5354e85e KSD-SMP
$ openssl version
OpenSSL 1.1.1k-freebsd? 25 Mar 2021
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/92cb4f2a/attachment.bin>