From owner-freebsd-hackers@freebsd.org Wed Oct 5 13:23:08 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0FF7AAF5442 for ; Wed, 5 Oct 2016 13:23:08 +0000 (UTC) (envelope-from Vladimir.Terziev@bwinparty.com) Received: from mgate03.itsfogo.com (mgate03.itsfogo.com [195.72.134.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.itsfogo.com", Issuer "thawte SSL CA - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9AD07B84 for ; Wed, 5 Oct 2016 13:23:07 +0000 (UTC) (envelope-from Vladimir.Terziev@bwinparty.com) From: Vladimir Terziev To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= , Roger Eddins CC: "freebsd-hackers@freebsd.org" Subject: Re: Reported version numbers of base openssl and sshd Thread-Topic: Reported version numbers of base openssl and sshd Thread-Index: AdIeUkocLzB8V1XdS3SVKMzoplSnMgAf5MMoAA1VJNr//+MOgA== Date: Wed, 5 Oct 2016 13:07:55 +0000 Message-ID: <61AE4EE6-3A98-4A32-AFC3-A117A9F7E3C4@bwinparty.com> References: <01eb01d21e52$4a7f1640$df7d42c0$@net> <86oa2z9un2.fsf@desk.des.no> <0ee9d33e-9be2-4fd7-abc2-2285cc4bd4a2@typeapp.com> <86k2dn9cxr.fsf@desk.des.no> In-Reply-To: <86k2dn9cxr.fsf@desk.des.no> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.1510) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [10.138.239.254] Content-Type: text/plain; charset="iso-8859-1" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 05 Oct 2016 13:45:01 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2016 13:23:08 -0000 In fact with RedHat the same issue exists. Every time we have an audit (not PCI only), we have to explain the auditors= the back-porting politics of RedHat and show them the change-log of the pa= ckages. Roger, you can follow similar way. Your FreeBSD systems are at certain secu= rity patch-level (uname -r). You can show that to the auditors along to a l= og of the changes this patch-level incorporates in it. Vladimir On Oct 5, 2016, at 3:51 PM, Dag-Erling Sm=F8rgrav wrote: > Roger Eddins writes: >> [...] Across the board we are finding other processes in commerce >> tools rejecting transactions due to version number deficiencies and >> the problem is growing rapidly. My hope would be that the team would >> reconsider the version number question as it is the biggest deficiency >> we experience daily using the FreeBSD OS. >=20 > Once again: how do they handle RHEL? Because Red Hat, the 800-pound > gorilla of the Open Source world, does the same thing that we do: > backport patches without bumping the version number. And in fact, they > do *less* than we do, because for OpenSSL and OpenSSH, we havea version > suffixes which should reflect the date of the last patch, so even an > automated scanner *can* be taught to distinguish a vulnerable machine > from a patched one - as long as secteam remembers to bump the suffix > when they patch the software. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@des.no > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org= "