From owner-freebsd-questions@freebsd.org Thu Apr 6 09:34:51 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7837D2F14B for ; Thu, 6 Apr 2017 09:34:51 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5776380A for ; Thu, 6 Apr 2017 09:34:51 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id C6A0C76DA for ; Thu, 6 Apr 2017 09:34:46 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/C6A0C76DA; dkim=none; dkim-atps=neutral Subject: Re: Security Advisory - release version, user or kernel patch level? To: freebsd-questions@freebsd.org References: From: Matthew Seaman Message-ID: Date: Thu, 6 Apr 2017 10:34:45 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="IfA6c0w7bUgPO0MsKgBO2sQv4umlkjLKV" X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_00,RCVD_IN_RP_RNBL, RDNS_NONE,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2017 09:34:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --IfA6c0w7bUgPO0MsKgBO2sQv4umlkjLKV Content-Type: multipart/mixed; boundary="1xfwK48ETP2EawRPbHCBCxL2D6GbETJsu"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: Security Advisory - release version, user or kernel patch level? References: In-Reply-To: --1xfwK48ETP2EawRPbHCBCxL2D6GbETJsu Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 04/06/17 09:35, zhaghzhagh@openmailbox.org wrote: > Good morning >=20 > Every now and then I get confused by the version number of security > patches. >=20 > For example: >=20 > https://www.freebsd.org/security/advisories/FreeBSD-SA-17:02.openssl.as= c: >=20 > ... > Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE) > 2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8) > 2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE) > 2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p17)= > ... >=20 > [user@domain ~]$ uname -a > FreeBSD domain.tld 10.3-RELEASE-p11 FreeBSD 10.3-RELEASE-p11 #0: Mon Oc= t > 24 18:47:18 UTC 2016 =20 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >=20 > Guesses: >=20 > 1. 'uname' - 'p11' =3D kernel patch level (?) > 2. '10.3-RELEASE-p17' - 'p17' =3D user patch level (?) >=20 > What if there is a security patch that affects only kernel? >=20 > Is it safe in all times to use 'freebsd-version -u' to decide whether m= y > host needs to be updated, upon a security notification is issued? (Don'= t > want to run 'freebsd-update' unnecessarily.) The correct version to look at in terms of freebd-update(8) is always the userland version -- ie. `freebsd-version -u` as you stated. The userland version gets incremented for every set of advisories, whilst the kernel version only changes when there is a security update requiring a new kernel. Thus the kernel version is either the same as the userland or slightly older. Use 'freebsd-version -u' to find the actual userland version -- it's precisely what that command was created for, since 'uname -a' gets its data from what is compiled into the kernel. Cheers, Matthew --1xfwK48ETP2EawRPbHCBCxL2D6GbETJsu-- --IfA6c0w7bUgPO0MsKgBO2sQv4umlkjLKV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAljmC7UACgkQAFE/EOCp 5OfaNxAAkVGmOvKnBE1zwgq63H7Bp6V08vLJY6kN093k8xEPEanTCpqoiEMkWYY4 6PrvC/xJG1oPOD8NbhP3gdfWFuJOXVGL0z94v+MW5MwUGz5FCZMr3AaXDJzVAEBt c6VJtuJfwzDAdlPeAN/SBPFOFsEB/K8pEUlqrD/6ASyMJ7p91hK2eT/oww3FSDHK AB4yQ1zRt6x2c0ByrY0owhrONTSTrDnpvh0dWhlXZr8FngLV1rG4sNS8Sbq4fHwr jAiRTX6+01wCbfnslrMFUBIsWRqdnMnIEu9eo6/fK8/KSJCy/Q4qode54/mNDEIN HfORmgZYwsERGheEVxEvzCg7MyaorCpC7icqdsvmnvU6/8YOYmExTVw6Z2JqhYGy ExjcutANr3x1TmyH4bNw/SMdhFEYnioASTH24dW80kKQNUghm2uOd48LtpCeoNP0 7aBKKi0VqMJd8Flk7iPIEo228roq87Dxey90cxLc1tCIuRVADje7rnk0K8raIhrl lwq0XE2chYHUI4Ck3Ey7gj9udRcCU3vRTRAwaTEaqVR+1qCTytxqboAq4VPj03Pf PsRHMKAS2fGgNAcCAHaZHwEGwgdViR51fT3P4GfftEAewdlwYbnUkMvJpeWcLpaO eT75wUYYJLK5RkRzgzjTli5qglF2ryEc5HOjB7A1Rqrk7UMaE8g= =KOiC -----END PGP SIGNATURE----- --IfA6c0w7bUgPO0MsKgBO2sQv4umlkjLKV--