From owner-freebsd-stable@freebsd.org Tue Mar 30 16:02:32 2021 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C95C957C0C2 for ; Tue, 30 Mar 2021 16:02:32 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F8vNS2sSQz4wlD for ; Tue, 30 Mar 2021 16:02:32 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lRGoy-000AeC-4E; Tue, 30 Mar 2021 17:02:24 +0100 Date: Tue, 30 Mar 2021 17:02:24 +0100 From: Gary Palmer To: Karl Denninger Cc: freebsd-stable@freebsd.org Subject: Re: possibly silly question regarding freebsd-update Message-ID: References: <7e96f815-2955-cfd2-cf6d-16187bc5a233@denninger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7e96f815-2955-cfd2-cf6d-16187bc5a233@denninger.net> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-Rspamd-Queue-Id: 4F8vNS2sSQz4wlD X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; local_wl_from(0.00)[freebsd.org] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2021 16:02:32 -0000 On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote: > > On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote: > > On 30/03/21 15:35, tech-lists wrote: > > > Hi, > > > > > > Recently there was > > > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html > > > > > > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. > > > > > > What I'm unsure about is the openssl version. > > > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 > > > > > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd > > > 25 Mar 2021 > > > > > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? > > > > > > > No, as you can see in the commit in the official git [1] while for > > current and stable the new upstream version of openssl was imported for > > the release the fix was applied without importing the new release and > > without changing the reported version of the library. > > > > So with 12.2p5 you do get the fix but don't get a new version of the > > library. > > > > > > [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b > > > > > Excuse me.... > > $ uname -v > FreeBSD 12.2-RELEASE-p4 GENERIC > $ sudo sh > # freebsd-update fetch > Looking up update.FreeBSD.org mirrors... 3 mirrors found. > Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... > done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 12.2-RELEASE-p5. > > I am running 12.2-RELEASE-p4, so says uname -v > > IMHO it is an *extraordinarily* bad practice to change a library that in > fact will result in a revision change while leaving the revision number > alone. > > How do I *know*, without source to go look at, whether or not the fix is > present on a binary system? > > If newvers.sh gets bumped then a build and -p5 release should have resulted > from that, and in turn a fetch/install (and reboot of course since it's in > the kernel) should result in uname -v returning "-p5" > > Most of my deployed "stuff" is on -STABLE but I do have a handful of > machines on cloud infrastructure that are binary-only and on which I rely on > freebsd-update and pkg to keep current with security-related items. What does "freebsd-version -u" report? The fix was only to a userland library, so I would not expect the kernel version as reported by uname to change. Regards, Gary