From owner-freebsd-security@FreeBSD.ORG Sun Jun 8 13:14:50 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9409FDD for ; Sun, 8 Jun 2014 13:14:50 +0000 (UTC) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mailhost.stack.nl", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 570C72446 for ; Sun, 8 Jun 2014 13:14:50 +0000 (UTC) Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id EBB313592EC for ; Sun, 8 Jun 2014 15:14:46 +0200 (CEST) Received: by snail.stack.nl (Postfix, from userid 1677) id CDF1D28497; Sun, 8 Jun 2014 15:14:46 +0200 (CEST) Date: Sun, 8 Jun 2014 15:14:46 +0200 From: Jilles Tjoelker To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl Message-ID: <20140608131446.GA4706@stack.nl> References: <201406051316.s55DGtwI041948@freefall.freebsd.org> <20140606043359.GF16618@rwpc15.gfn.riverwillow.net.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140606043359.GF16618@rwpc15.gfn.riverwillow.net.au> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2014 13:14:50 -0000 On Fri, Jun 06, 2014 at 02:33:59PM +1000, John Marshall wrote: > On Thu, 05 Jun 2014, 13:16 +0000, FreeBSD Security Advisories wrote: > > Corrected: > > 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) > > VI. Correction details > > Branch/path Revision > > ------------------------------------------------------------------------- > > releng/9.2/ r267104 > I've just src-upgraded a system and expected to see OpenSSL version > 0.9.8za at the end of it all. I checked the patches and the OpenSSL > version number wasn't touched. Is this an expected outcome? > rwsrv04> uname -v; openssl version > FreeBSD 9.2-RELEASE-p8 #0 r267130: Fri Jun 6 12:43:09 AEST 2014... > OpenSSL 0.9.8y 5 Feb 2013 > rwsrv04> ls -l /usr/lib/libssl.so.6 > -r--r--r-- 1 root wheel 304808 6 Jun 13:31 /usr/lib/libssl.so.6 > I understand that it was the FreeBSD distribution that was patched and > not the OpenSSL distribution, but having the operating system and > applications reporting a "vulnerable" version of OpenSSL isn't > reassuring to other folks. Yes, this is expected and common practice. Perhaps the version number should instead be removed in head given that it is not updated for security patches anyway. -- Jilles Tjoelker