From owner-freebsd-questions@freebsd.org Thu Apr 6 09:30:01 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 927F4D30D74 for ; Thu, 6 Apr 2017 09:30:01 +0000 (UTC) (envelope-from steve@sohara.org) Received: from smtp1.irishbroadband.ie (smtp2.irishbroadband.ie [62.231.32.43]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DCCC73 for ; Thu, 6 Apr 2017 09:30:00 +0000 (UTC) (envelope-from steve@sohara.org) Received: from [89.127.62.20] (helo=smtp.lan.sohara.org) by smtp1.irishbroadband.ie with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1cw3OQ-0007bY-Bc for freebsd-questions@freebsd.org; Thu, 06 Apr 2017 10:07:50 +0100 Received: from [192.168.63.1] (helo=steve.lan.sohara.org) by smtp.lan.sohara.org with smtp (Exim 4.88 (FreeBSD)) (envelope-from ) id 1cw3NI-0006Q2-T6 for freebsd-questions@freebsd.org; Thu, 06 Apr 2017 09:06:40 +0000 Date: Thu, 6 Apr 2017 10:05:40 +0100 From: Steve O'Hara-Smith To: freebsd-questions@freebsd.org Subject: Re: Security Advisory - release version, user or kernel patch level? Message-Id: <20170406100540.9796ed0deb735c2ba1553076@sohara.org> In-Reply-To: References: X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.29; amd64-portbld-freebsd10.3) X-Clacks-Overhead: "GNU Terry Pratchett" Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 09:30:01 -0000 On Thu, 06 Apr 2017 08:35:01 +0000 zhaghzhagh@openmailbox.org wrote: > Good morning > > Every now and then I get confused by the version number of security > patches. > > For example: > > https://www.freebsd.org/security/advisories/FreeBSD-SA-17:02.openssl.asc: > > ... > Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE) > 2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8) > 2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE) > 2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p17) > ... > > [user@domain ~]$ uname -a > FreeBSD domain.tld 10.3-RELEASE-p11 FreeBSD 10.3-RELEASE-p11 #0: Mon Oct > 24 18:47:18 UTC 2016 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 > > Guesses: > > 1. 'uname' - 'p11' = kernel patch level (?) Correct. > 2. '10.3-RELEASE-p17' - 'p17' = user patch level (?) Correct - user patch level can be ahead of kernel patch level when there are updates that don't affect the kernel. > What if there is a security patch that affects only kernel? I don't think that's happened (at the very least it will affect src as well). I would expect both patch levels to bump if it did happen. > Is it safe in all times to use 'freebsd-version -u' to decide whether my > host needs to be updated, upon a security notification is issued? (Don't > want to run 'freebsd-update' unnecessarily.) Yes it is - or just run freebsd-update fetch periodically, if it fetches anything then there are patches for your system then you can check the advisory to see how urgent installation is. -- Steve O'Hara-Smith