From owner-freebsd-security@FreeBSD.ORG Fri Jun 6 04:34:10 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0250CB64 for ; Fri, 6 Jun 2014 04:34:10 +0000 (UTC) Received: from mta1.riverwillow.net.au (mta1.riverwillow.net.au [IPv6:2001:8000:1000:1801::36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mta1.riverwillow.net.au", Issuer "Riverwillow Root Certificate 2010-04-12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 515F82184 for ; Fri, 6 Jun 2014 04:34:08 +0000 (UTC) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [IPv6:2001:8000:1000:1801::46]) by mta1.riverwillow.net.au (8.14.9/8.14.9) with ESMTP id s564Y2Gd088834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 6 Jun 2014 14:34:02 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=mta1002; t=1402029242; bh=cUEalJxvgap6kAW7vlaqk6ZiH8wdrXC2LDH8JCJaNac=; h=Date:From:To:Subject:References:In-Reply-To; b=GUqJW0rtjZBox4N93bZakz13Ll8BWqfVuxHTA+MtgbviGO6F7L8mkE/942JnIQto/ zrjQqDzF/Q07FIPE5uFD8fSNla2OVTEop57tn0FzJoMl7VwECM8wOKp4NHIrDvEm7Z Qr2m4oBu/UhmIburlqtHjnI5us/+cEKx5q5Rjh6g= Received: from rwpc15.gfn.riverwillow.net.au (rwpc15.gfn.riverwillow.net.au [IPv6:2001:8000:1000:18e1:20c:76ff:fe0a:2117]) (authenticated bits=56) by mail1.riverwillow.net.au (8.14.9/8.14.9) with ESMTP id s564XxrB088823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 6 Jun 2014 14:34:01 +1000 (AEST) Date: Fri, 6 Jun 2014 14:33:59 +1000 From: John Marshall To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl Message-ID: <20140606043359.GF16618@rwpc15.gfn.riverwillow.net.au> Mail-Followup-To: freebsd-security@freebsd.org References: <201406051316.s55DGtwI041948@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="n+lFg1Zro7sl44OB" Content-Disposition: inline In-Reply-To: <201406051316.s55DGtwI041948@freefall.freebsd.org> OpenPGP: id=A29A84A2; url=http://pki.riverwillow.com.au/pgp/johnmarshall.asc User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2014 04:34:10 -0000 --n+lFg1Zro7sl44OB Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, 05 Jun 2014, 13:16 +0000, FreeBSD Security Advisories wrote: > Corrected: > 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) > VI. Correction details > Branch/path Revision > ------------------------------------------------------------------------- > releng/9.2/ r267104 I've just src-upgraded a system and expected to see OpenSSL version 0.9.8za at the end of it all. I checked the patches and the OpenSSL version number wasn't touched. Is this an expected outcome? rwsrv04> uname -v; openssl version FreeBSD 9.2-RELEASE-p8 #0 r267130: Fri Jun 6 12:43:09 AEST 2014... OpenSSL 0.9.8y 5 Feb 2013 rwsrv04> ls -l /usr/lib/libssl.so.6 -r--r--r-- 1 root wheel 304808 6 Jun 13:31 /usr/lib/libssl.so.6 I understand that it was the FreeBSD distribution that was patched and not the OpenSSL distribution, but having the operating system and applications reporting a "vulnerable" version of OpenSSL isn't reassuring to other folks. --=20 John Marshall --n+lFg1Zro7sl44OB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlORRLcACgkQw/tAaKKahKIhewCgsmZjvSAB8Irz7zySOuanv3Sc xFEAn0h+TQ5hmLldOcVtHmoV6A0buPup =+7zl -----END PGP SIGNATURE----- --n+lFg1Zro7sl44OB--