From owner-freebsd-security@freebsd.org Fri Jan 27 21:51:51 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B9B3CC4E82 for ; Fri, 27 Jan 2017 21:51:51 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4E51AB; Fri, 27 Jan 2017 21:51:50 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 1209190c-687ff70000002353-65-588bbfc07b77 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 67.F0.09043.0CFBB885; Fri, 27 Jan 2017 16:46:40 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v0RLkdgg020848; Fri, 27 Jan 2017 16:46:39 -0500 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v0RLkZUh003995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 27 Jan 2017 16:46:37 -0500 Date: Fri, 27 Jan 2017 15:46:35 -0600 From: Benjamin Kaduk To: Xin LI Cc: Oliver Pinter , Xin LI , Dimitry Andric , "freebsd-security@freebsd.org" , Eric van Gyzen Subject: Re: Plan for OpenSSL in stable/10? Message-ID: <20170127214635.GT8460@kduck.kaduk.org> References: <0a30a1c7-e9d9-7d86-ee17-267e9fb47595@FreeBSD.org> <71C413FC-2417-453E-A075-49860F105A08@FreeBSD.org> <20170113041545.GS8460@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IR4hTV1j2wvzvC4MV+bYvXN/6xW1x/+JjJ YknXPkaLnk1P2CxeT77CaHHj6F5GBzaPGZ/ms3jsnHWX3WPrm3b2AOYoLpuU1JzMstQifbsE roz5pwoK9vFX7Ju2maWBcTVPFyMnh4SAicS55X3sXYxcHEICbUwSW79tZINwNjJK7P26Esq5 yiSx4O4mpi5GDg4WAVWJVTvMQLrZBFQkGrovM4PYIgJyEtcn7wObxCzwiVHia+MGNpCEsIC2 ROPkM+wgvbwCxhKHm7khZq5mkrjy/SMrSA2vgKDEyZlPWEBsZgEtiRv/XoLtYhaQllj+jwMk zCkQKPF+1WSwElEBZYmGGQ+YJzAKzELSPQtJ9yyE7gWMzKsYZVNyq3RzEzNzilOTdYuTE/Py Uot0DfVyM0v0UlNKNzGCw1qSZwfjmTdehxgFOBiVeHg1crojhFgTy4orcw8xSnIwKYnyclsA hfiS8lMqMxKLM+KLSnNSiw8xSnAwK4nw5gOjSYg3JbGyKrUoHyYlzcGiJM4rodEYISSQnliS mp2aWpBaBJOV4eBQkuC1AGkULEpNT61Iy8wpQUgzcXCCDOcBGm4NNry4IDG3ODMdIn+KUVFK nHfHPqCEAEgiozQPrheUdiSy99e8YhQHekWYdyFIFQ8wZcF1vwIazAQ0WPxHF8jgkkSElFQD 4zIGE6fwa2+iHAVmTT55xp97afB1oxIT8cJI/+O+YjHbFZZKWfk/yWJR1V92yKnjdWXzTtMk 80+5nv05Z+/k3L1xUf3QTvbD7RPOJ9ntfdPFFauddO6M2YtHW2KDpa78lF6UobU58ODRTX17 XR9MmcypdMm0cbVEy4T5C8qid64sWTahzk2KR4mlOCPRUIu5qDgRAKra5gEWAwAA X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2017 21:51:51 -0000 Er, which three symbols? I'm not sure that I'm reading the tool properly; e.g., the 1.0.2 line has "4 removed", which seems to be comparing to 1.0.1u, which is not a fair comparison -- some symbols were added during the 1.0.1 series, e.g., for CVE fixes, that were also added to the 1.0.2 series, but were not present in 1.0.2. (BTW I posted to upstream about this at https://mta.openssl.org/pipermail/openssl-dev/2017-January/009042.html) -Ben On Thu, Jan 26, 2017 at 02:10:55PM -0800, Xin LI wrote: > They are not compatible: > https://abi-laboratory.pro/tracker/timeline/openssl/ > > (3 missing symbols needs to be fixed, and we need to verify if the result > is still compatible; the usage of these missing symbols should be quite > rare, though). > > On Thu, Jan 26, 2017 at 1:48 PM, Oliver Pinter < > oliver.pinter@hardenedbsd.org> wrote: > > > On 1/13/17, Benjamin Kaduk wrote: > > > On Thu, Jan 12, 2017 at 10:57:20PM +0100, Dimitry Andric wrote: > > >> On 12 Jan 2017, at 19:02, Eric van Gyzen wrote: > > >> > > > >> > Has anyone had time to discuss and form a plan for OpenSSL in > > >> > stable/10, > > >> > now that 1.0.1 is end-of-life? I don't recall seeing any public > > >> > discussion or announcement; forgive me if I missed it. > > >> > > >> Would updating to 1.0.2 change the API and/or ABI? > > > > > > IIRC upstream claims that it is ABI and API compatible, but they were > > less > > > good about enforcing that rigorously back then than they are now, so > > maybe > > > some things slipped through the cracks. > > > > > > > Is there any news regards to these questions? > > > > > -Ben > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@ > > freebsd.org" > > > > >