On 30/03/21 15:35, tech-lists wrote:> Hi, > > Recently there was > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. > > What I'm unsure about is the openssl version. > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd > 25 Mar 2021 > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? >No, as you can see in the commit in the official git [1] while for current and stable the new upstream version of openssl was imported for the release the fix was applied without importing the new release and without changing the reported version of the library. So with 12.2p5 you do get the fix but don't get a new version of the library. [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b -- Guido Falsi <mad at madpilot.net>
On Tue, Mar 30, 2021 at 05:22:30PM +0200, Guido Falsi via freebsd-stable wrote:> >No, as you can see in the commit in the official git [1] while for >current and stable the new upstream version of openssl was imported for >the release the fix was applied without importing the new release and >without changing the reported version of the library. > >So with 12.2p5 you do get the fix but don't get a new version of the >library. > > >[1] >https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9bOn this url, near the top, there's this: "Fix multiple OpenSSL vulnerabilities. Add UPDATING and bump version." next to that, we have "releng/12.2". So, I'm expecting the version information pertaining to opensslto be bumped. Is this expectation unreasonable? I'm not a developer. -- J. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/4b50db49/attachment.sig>
On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:> On 30/03/21 15:35, tech-lists wrote: >> Hi, >> >> Recently there was >> https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html >> >> about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. >> >> What I'm unsure about is the openssl version. >> Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 >> >> Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd >> 25 Mar 2021 >> >> shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? >> > > No, as you can see in the commit in the official git [1] while for > current and stable the new upstream version of openssl was imported > for the release the fix was applied without importing the new release > and without changing the reported version of the library. > > So with 12.2p5 you do get the fix but don't get a new version of the > library. > > > [1] > https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b > >Excuse me.... $ uname -v FreeBSD 12.2-RELEASE-p4 GENERIC $ sudo sh # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 12.2-RELEASE-p5. I am running 12.2-RELEASE-p4, so says uname -v IMHO it is an *extraordinarily* bad practice to change a library that in fact will result in a revision change while leaving the revision number alone. How do I *know*, without source to go look at, whether or not the fix is present on a binary system? If newvers.sh gets bumped then a build and -p5 release should have resulted from that, and in turn a fetch/install (and reboot of course since it's in the kernel) should result in uname -v returning "-p5" Most of my deployed "stuff" is on -STABLE but I do have a handful of machines on cloud infrastructure that are binary-only and on which I rely on freebsd-update and pkg to keep current with security-related items. -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4897 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/630c42db/attachment-0001.bin>