On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:> On 30/03/21 15:35, tech-lists wrote: >> Hi, >> >> Recently there was >> https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html >> >> about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. >> >> What I'm unsure about is the openssl version. >> Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 >> >> Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd >> 25 Mar 2021 >> >> shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? >> > > No, as you can see in the commit in the official git [1] while for > current and stable the new upstream version of openssl was imported > for the release the fix was applied without importing the new release > and without changing the reported version of the library. > > So with 12.2p5 you do get the fix but don't get a new version of the > library. > > > [1] > https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b > >Excuse me.... $ uname -v FreeBSD 12.2-RELEASE-p4 GENERIC $ sudo sh # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 12.2-RELEASE-p5. I am running 12.2-RELEASE-p4, so says uname -v IMHO it is an *extraordinarily* bad practice to change a library that in fact will result in a revision change while leaving the revision number alone. How do I *know*, without source to go look at, whether or not the fix is present on a binary system? If newvers.sh gets bumped then a build and -p5 release should have resulted from that, and in turn a fetch/install (and reboot of course since it's in the kernel) should result in uname -v returning "-p5" Most of my deployed "stuff" is on -STABLE but I do have a handful of machines on cloud infrastructure that are binary-only and on which I rely on freebsd-update and pkg to keep current with security-related items. -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4897 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/630c42db/attachment-0001.bin>
On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote:> > On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote: > > On 30/03/21 15:35, tech-lists wrote: > > > Hi, > > > > > > Recently there was > > > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html > > > > > > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. > > > > > > What I'm unsure about is the openssl version. > > > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 > > > > > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd > > > 25 Mar 2021 > > > > > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? > > > > > > > No, as you can see in the commit in the official git [1] while for > > current and stable the new upstream version of openssl was imported for > > the release the fix was applied without importing the new release and > > without changing the reported version of the library. > > > > So with 12.2p5 you do get the fix but don't get a new version of the > > library. > > > > > > [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b > > > > > Excuse me.... > > $ uname -v > FreeBSD 12.2-RELEASE-p4 GENERIC > $ sudo sh > # freebsd-update fetch > Looking up update.FreeBSD.org mirrors... 3 mirrors found. > Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... > done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 12.2-RELEASE-p5. > > I am running 12.2-RELEASE-p4, so says uname -v > > IMHO it is an *extraordinarily* bad practice to change a library that in > fact will result in a revision change while leaving the revision number > alone. > > How do I *know*, without source to go look at, whether or not the fix is > present on a binary system? > > If newvers.sh gets bumped then a build and -p5 release should have resulted > from that, and in turn a fetch/install (and reboot of course since it's in > the kernel) should result in uname -v returning "-p5" > > Most of my deployed "stuff" is on -STABLE but I do have a handful of > machines on cloud infrastructure that are binary-only and on which I rely on > freebsd-update and pkg to keep current with security-related items.What does "freebsd-version -u" report? The fix was only to a userland library, so I would not expect the kernel version as reported by uname to change. Regards, Gary
On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote:>How do I *know*, without source to go look at, whether or not the fix is >present on a binary system?Yep, you understand my point exactly. -- J. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/d4910d66/attachment.sig>