Re: possibly silly question regarding freebsd-update

Tue, 30 Mar 2021 08:55:47 -0700 


On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:

On 30/03/21 15:35, tech-lists wrote:

Hi,

Recently there was
https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html 
about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted.

What I'm unsure about is the openssl version.
Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsdĀ  22 Sep 2020

Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd
25 Mar 2021

shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well?
No, as you can see in the commit in the official git [1] while for current and stable the new upstream version of openssl was imported for the release the fix was applied without importing the new release and without changing the reported version of the library.
So with 12.2p5 you do get the fix but don't get a new version of the library.
[1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b 



Excuse me....

$ uname -v
FreeBSD 12.2-RELEASE-p4 GENERIC
$ sudo sh
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... done. 
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.2-RELEASE-p5.

I am running 12.2-RELEASE-p4, so says uname -v
IMHO it is an *extraordinarily* bad practice to change a library that in fact will result in a revision change while leaving the revision number alone.
How do I *know*, without source to go look at, whether or not the fix is present on a binary system?
If newvers.sh gets bumped then a build and -p5 release should have resulted from that, and in turn a fetch/install (and reboot of course since it's in the kernel) should result in uname -v returning "-p5"
Most of my deployed "stuff" is on -STABLE but I do have a handful of machines on cloud infrastructure that are binary-only and on which I rely on freebsd-update and pkg to keep current with security-related items. 

--
Karl Denninger
k...@denninger.net <mailto:k...@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to