FreeBSD Mail Archives

Date:      Tue, 30 Mar 2021 12:07:41 -0400
From:      Karl Denninger <karl@denninger.net>
To:        Gary Palmer <gpalmer@freebsd.org>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: possibly silly question regarding freebsd-update
Message-ID:  <c16bfed1-52bb-560c-c73f-1edd0c1f876e@denninger.net>
In-Reply-To: <YGNLkDpHtIuaO3xp@in-addr.com>
References:  <YGMpE5uWvRy8Xdql@cloud.zyxst.net> <aad6ecc5-f6b0-92c5-1acb-e9666760e813@madpilot.net> <7e96f815-2955-cfd2-cf6d-16187bc5a233@denninger.net> <YGNLkDpHtIuaO3xp@in-addr.com>

This is a cryptographically signed message in MIME format.

--------------ms050908080708030604090704
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

On 3/30/2021 12:02, Gary Palmer wrote:
> On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote:
>> On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:
>>> On 30/03/21 15:35, tech-lists wrote:
>>>> Hi,
>>>>
>>>> Recently there was
>>>> https://lists.freebsd.org/pipermail/freebsd-security/2021-March/0103=
80.html
>>>>
>>>> about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted.=

>>>>
>>>> What I'm unsure about is the openssl version.
>>>> Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2=
020
>>>>
>>>> Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-free=
bsd
>>>> 25 Mar 2021
>>>>
>>>> shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well?
>>>>
>>> No, as you can see in the commit in the official git [1] while for
>>> current and stable the new upstream version of openssl was imported f=
or
>>> the release the fix was applied without importing the new release and=

>>> without changing the reported version of the library.
>>>
>>> So with 12.2p5 you do get the fix but don't get a new version of the
>>> library.
>>>
>>>
>>> [1] https://cgit.freebsd.org/src/commit/?h=3Dreleng/12.2&id=3Daf61348=
d61f51a88b438d41c3c91b56b2b65ed9b
>>>
>>>
>> Excuse me....
>>
>> $ uname -v
>> FreeBSD 12.2-RELEASE-p4 GENERIC
>> $ sudo sh
>> # freebsd-update fetch
>> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
>> Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org.=
=2E.
>> done.
>> Fetching metadata index... done.
>> Inspecting system... done.
>> Preparing to download files... done.
>>
>> No updates needed to update system to 12.2-RELEASE-p5.
>>
>> I am running 12.2-RELEASE-p4, so says uname -v
>>
>> IMHO it is an *extraordinarily* bad practice to change a library that =
in
>> fact will result in a revision change while leaving the revision numbe=
r
>> alone.
>>
>> How do I *know*, without source to go look at, whether or not the fix =
is
>> present on a binary system?
>>
>> If newvers.sh gets bumped then a build and -p5 release should have res=
ulted
>> from that, and in turn a fetch/install (and reboot of course since it'=
s in
>> the kernel) should result in uname -v returning "-p5"
>>
>> Most of my deployed "stuff" is on -STABLE but I do have a handful of
>> machines on cloud infrastructure that are binary-only and on which I r=
ely on
>> freebsd-update and pkg to keep current with security-related items.
> What does "freebsd-version -u" report?  The fix was only to a userland
> library, so I would not expect the kernel version as reported by uname
> to change.
>
> Regards,
>
> Gary

Ok, that's fair; it DOES show -p5 for the user side.

$ freebsd-version -ru
12.2-RELEASE-p4
12.2-RELEASE-p5

So that says my userland is -p5 while the kernel, which did not change=20
(even though if you built from source it would carry the -p5 number) is -=
p4.

I can live with that as it allows me to "see" that indeed the revision=20
is present without having source on the box.

I recognize that this is probably a reasonably-infrequent thing but it=20
certainly is one that for people running binary releases is likely quite =

important given that the issue is in the openssl libraries.=C2=A0 It was =

enough for me to rebuild all the firewall machines the other day since a =

DOS (which is reasonably possible for one of the flaws) aimed at my VPN=20
server causing the server process to exit would be...... bad.

--=20
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

--------------ms050908080708030604090704
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC
DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL
MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw
FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf
BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4
MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD
dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1
ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI
KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD
0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY
vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn
uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24
SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E
6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH
YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL
h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd
zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE
FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q
EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ
TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5
c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY
MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN
gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9
oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj
tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K
uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv
HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK
17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/
Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA
6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY
UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO
62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp
ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD
QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx
MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw
FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A
16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg
96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg
y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs
YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg
6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX
SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM
cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN
5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l
CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg
CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v
b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF
oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC
GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE
BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh
IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ
zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN
AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR
dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu
2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X
lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK
FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q
IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA
1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL
shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ
qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE
QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM
TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM
QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMzMwMTYwNzQy
WjBPBgkqhkiG9w0BCQQxQgRAb1Qn9hddoqs+qfqyl9U4QiN6yoDsG6Rn+RXxeqfipwv+v2LG
FFHNKVM/LsUlkzGcrGwK7qlfXptDNKZJMNlXFjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM
TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM
QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg
gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz
dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0
ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF
AASCAgBHuQ276sLW2TQmCKlyQIRTAnVJLVuC1X++A/3Acyn2hX8N9jzZbO8s8RnQ8vYp30Ls
0m8QlTM0a9ckcLOIMhAmQq9V25MAl9qlZBwAP7nn5kwrT9T34tQ7qcn0gspQQXM+f4OKOeQT
oMeAuzOAJcxwZZqezLQsIxRpUISTi9l3rXwumruRqClp4i69QLFcBEKBsFbdCOH9jmrVxvCc
w9eO0Uh2DJ8plmAuCdm81YjxBXhdkYo3tvwMtg1qBrJQUHpbav8nEOG7xKK51xKxzwJJKIAT
e82iosvyjqQ6DhgGux0fqmJMNty48l319OBRFijPiwHJQMpU8npHDhhiilNQS0cgA42UO7ve
vd0MqwwGDuG4XZXuXtER2ckCPGQ9G1k0WbnS2GBgnPKMpwlPyP/KGGKQS6nFv48ti3C9Ei7q
REWVpmVXdlParjKoxdYvpyAwGOBJSxPs5EUklFdBO8kHDefqawbp4nL4DU2kvq9n0LNOzotJ
q6omMQOFoq5+kVy1Vg5dOJUieuqq72psdMlbedxjIR+AYqqh0qVNAv8rNX14bVeF2f6mfH5m
YF+eBZI8eYvThSQ7ZLIvl408LJySoQev5w9SAeNcFoIOaPv2A344clCj2oAHQb+rEebQlmot
0E0Lvwo/hpteZST/HGwLKXS4i9AjpfGNcE+G7W0afAAAAAAAAA==
--------------ms050908080708030604090704--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c16bfed1-52bb-560c-c73f-1edd0c1f876e>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation