On 3/30/2021 12:02, Gary Palmer wrote:
On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote:On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:On 30/03/21 15:35, tech-lists wrote:Hi,Recently there was https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. What I'm unsure about is the openssl version. Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd 25 Mar 2021 shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well?No, as you can see in the commit in the official git [1] while for current and stable the new upstream version of openssl was imported for the release the fix was applied without importing the new release and without changing the reported version of the library. So with 12.2p5 you do get the fix but don't get a new version of the library. [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9bExcuse me.... $ uname -v FreeBSD 12.2-RELEASE-p4 GENERIC $ sudo sh # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 12.2-RELEASE-p5. I am running 12.2-RELEASE-p4, so says uname -v IMHO it is an *extraordinarily* bad practice to change a library that in fact will result in a revision change while leaving the revision number alone. How do I *know*, without source to go look at, whether or not the fix is present on a binary system? If newvers.sh gets bumped then a build and -p5 release should have resulted from that, and in turn a fetch/install (and reboot of course since it's in the kernel) should result in uname -v returning "-p5" Most of my deployed "stuff" is on -STABLE but I do have a handful of machines on cloud infrastructure that are binary-only and on which I rely on freebsd-update and pkg to keep current with security-related items.What does "freebsd-version -u" report? The fix was only to a userland library, so I would not expect the kernel version as reported by uname to change. Regards, Gary
Ok, that's fair; it DOES show -p5 for the user side. $ freebsd-version -ru 12.2-RELEASE-p4 12.2-RELEASE-p5So that says my userland is -p5 while the kernel, which did not change (even though if you built from source it would carry the -p5 number) is -p4.
I can live with that as it allows me to "see" that indeed the revision is present without having source on the box.
I recognize that this is probably a reasonably-infrequent thing but it certainly is one that for people running binary releases is likely quite important given that the issue is in the openssl libraries. It was enough for me to rebuild all the firewall machines the other day since a DOS (which is reasonably possible for one of the flaws) aimed at my VPN server causing the server process to exit would be...... bad.
-- Karl Denninger k...@denninger.net <mailto:k...@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
