From owner-freebsd-security@FreeBSD.ORG Mon Jun 9 20:07:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E4CE6D74 for ; Mon, 9 Jun 2014 20:07:26 +0000 (UTC) Received: from st11p09mm-asmtp001.mac.com (st11p09mm-asmtp001.mac.com [17.164.24.96]) by mx1.freebsd.org (Postfix) with ESMTP id A889F2D1C for ; Mon, 9 Jun 2014 20:07:26 +0000 (UTC) MIME-version: 1.0 Received: from beat.rdnzl.info (dsl-hkibrasgw1-58c380-33.dhcp.inet.fi [88.195.128.33]) by st11p09mm-asmtp001.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with ESMTPSA id <0N6X0011113B0D20@st11p09mm-asmtp001.mac.com> for freebsd-security@freebsd.org; Mon, 09 Jun 2014 19:06:50 +0000 (GMT) Content-type: multipart/signed; boundary="Apple-Mail=_11668CD3-D231-46B0-86DE-1577F6CC0D88"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl From: Kimmo Paasiala In-reply-to: <20140608131446.GA4706@stack.nl> Date: Mon, 09 Jun 2014 22:06:26 +0300 Message-id: <34FF30E8-E9F1-4691-B6EE-9E4E5DDA0AC7@icloud.com> References: <201406051316.s55DGtwI041948@freefall.freebsd.org> <20140606043359.GF16618@rwpc15.gfn.riverwillow.net.au> <20140608131446.GA4706@stack.nl> To: Jilles Tjoelker X-Mailer: Apple Mail (2.1878.2) X-MANTSH: 1TEIXWV4bG1oaGkdHB0lGUkdDRl5PWBoaGREKTEMXGx0EGx0YBBIZBBsdEBseGh8 aEQpYTRdLEQptfhcaEQpMWRcbGhsbEQpZSRcRClleF2hjeREKQ04XSxsYGmJCH2lvHXV4GXhzB x8TGxMaHEUZEQpYXBcZBBoEGxsHTU4fGBgYGUsFGx0EGx0YBBIZBBsdEBseGh8bEQpeWRdhUxx aRhEKTEYXYmtrEQpDWhcSEgQbEx8EGxgSBBkZEQpCXhcbEQpEWBcYEQpESRcbEQpCRRdmfX8TT W9cYGUaEhEKQk4Xa0UaUlAeQ1xZXGgRCkJMF25NHXlZY2RofhhGEQpCbBdhQHxTbEsfGGR7fhE KQkAXYxh5HkNiGhtvSFgRCnBoF2RyZGZHeX1CGB14EQpwaBduQHxlQ1tTXXJFehEKcGgXYn9JG h5bS2kZaW8RCnBoF2FDXlh9emd7E0BcEQpwaBd6Umdga0ZcEnhNQhEKcGsXbkl5X1pYck0ZHFg RCnBLF2JpchNYXVxnbVNzEQpwaxdnbH9ZGGEYQUxhcBEKcGwXbWduBR9hTmEcWxsRCnBMF2NDZ XtzQEUFbUdbEQ== X-CLX-Spam: false X-CLX-Score: 1011 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52,1.0.14,0.0.0000 definitions=2014-06-09_03:2014-06-09,2014-06-09,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=13 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1406090242 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2014 20:07:27 -0000 --Apple-Mail=_11668CD3-D231-46B0-86DE-1577F6CC0D88 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 8.6.2014, at 16.14, Jilles Tjoelker wrote: > On Fri, Jun 06, 2014 at 02:33:59PM +1000, John Marshall wrote: >> On Thu, 05 Jun 2014, 13:16 +0000, FreeBSD Security Advisories wrote: >=20 >>> Corrected: >=20 >>> 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) >=20 >>> VI. Correction details >=20 >>> Branch/path = Revision >>> = ------------------------------------------------------------------------- >=20 >>> releng/9.2/ = r267104 >=20 >> I've just src-upgraded a system and expected to see OpenSSL version >> 0.9.8za at the end of it all. I checked the patches and the OpenSSL >> version number wasn't touched. Is this an expected outcome? >=20 >> rwsrv04> uname -v; openssl version >> FreeBSD 9.2-RELEASE-p8 #0 r267130: Fri Jun 6 12:43:09 AEST 2014... >> OpenSSL 0.9.8y 5 Feb 2013 >=20 >> rwsrv04> ls -l /usr/lib/libssl.so.6 >> -r--r--r-- 1 root wheel 304808 6 Jun 13:31 /usr/lib/libssl.so.6 >=20 >> I understand that it was the FreeBSD distribution that was patched = and >> not the OpenSSL distribution, but having the operating system and >> applications reporting a "vulnerable" version of OpenSSL isn't >> reassuring to other folks. >=20 > Yes, this is expected and common practice. >=20 > Perhaps the version number should instead be removed in head given = that > it is not updated for security patches anyway. >=20 > --=20 > Jilles Tjoelker I strongly disagree. There has to be a version number so that no one has = to guess what is base version of the software used. Instead I=92d look = into incorporating the patch level information that is now in =91uname = -r=92 (for example '10.0-RELEASE-p5=92) to various version strings in = the world binaries. -Kimmo --Apple-Mail=_11668CD3-D231-46B0-86DE-1577F6CC0D88 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJTlgW2AAoJEFvLZC0FWRVpRX4H/2GnIfRfgLo8ybHKFzsD9VIt 5x0AxLOvIOCytSaOHDBSipgTNEL0dt37z3nD48WQzKoigFc/dnBo6Tf71cDO0Nss riQVELPtkk9nAqEj3I+9T9ljKzYhglH5Ni0Nhxw9NgA3wdYSt5IEuRZXXXRq7WGY CaQ4oGmDY2/Mpabq1n1PeHWt2JcP4Ca+Dqcc060qrncNxnAPljEg4kiG68n9JRlz XwGcP2o8fhtmzDlhx0lEfZCxz/5I9JwojGeYJVl/9C5IN9seMWSsnm/YUEyQXs3S QsB7EZTedF3Oc1z3zxbEkeDZBDKzk7xLfP19DDMxdtqedxmL0sv6kHORMWjM50Y= =5+CS -----END PGP SIGNATURE----- --Apple-Mail=_11668CD3-D231-46B0-86DE-1577F6CC0D88--