Date: Wed, 12 Apr 2006 14:48:52 -0400 From: Kris Kennaway <kris@obsecurity.org> To: martinko <martinkov@pobox.sk> Cc: freebsd-questions@freebsd.org Subject: Re: upcoming release 6.1: old version of some core components Message-ID: <20060412184851.GA25677@xor.obsecurity.org> In-Reply-To: <e1jhn4$vhe$1@sea.gmane.org> References: <443BAE40.9050704@dial.pipex.com> <001301c65d7f$0b9dab70$dededede@avalon.lan> <20060411203727.GA90177@xor.obsecurity.org> <e1jhn4$vhe$1@sea.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 12, 2006 at 08:42:44PM +0200, martinko wrote: > Kris Kennaway wrote: > > On Tue, Apr 11, 2006 at 05:46:06PM +0200, No@SPAM@mgEDV.net wrote: > >=20 > >>=20 > >> > >>>I can't answer you main question, but I would say that you can bet you= r=20 > >>>shirt on the fact that there will be no known security issues in the= =20 > >>>older packages. > >> > >>>At least for openssl and openssh you can get latest versions through t= he=20 > >>>ports. Not an option for everything -- I see no zlib for example and = I=20 > >>>don't believe there's a standard cvs port either. > >> > >>as for zlib i definitely know, that there are 2 security flaws, which c= an > >>lead to problems when invalid compressed data is feeded. > >=20 > >=20 > > Already fixed as soon as they were published. Are there other reasons > > to upgrade? > >=20 > >=20 > >>my problem also is not the installation of ports/packages/custom compil= es, > >>it's more that the operating system components itself are linked against > >>these older libraries an therefore will contain bugs, which may have be= en > >>already solved. > >=20 > >=20 > > The other side of this is that newer versions are often incompatible > > (OpenSSL, I'm looking at you), which rules out upgrading the version > > in a FreeBSD-STABLE branch since it ruins binary compatibility. > >=20 > > Kris >=20 > one may wonder why they change very minor version number/letter only, if > the changes are so disturbing.. It's more that they don't have the foresight and discipline not to keep breaking interfaces. This may have changed recently, but I think their policy is still "until we release openssl 1.0 we make no promises about compatibility". Kris --/04w6evG8XlLl3ft Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEPUuTWry0BWjoQKURAjU6AKDHnmpAmeKYoLXucAlSl1roY3TCvgCeNPod NcgNc/oe0O1+IPsJmpjw6kY= =IIfx -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060412184851.GA25677>