From owner-freebsd-questions@FreeBSD.ORG Tue Apr 11 15:58:59 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85F5816A415 for ; Tue, 11 Apr 2006 15:58:59 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93D5843D69 for ; Tue, 11 Apr 2006 15:58:56 +0000 (GMT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.13.1/8.13.4) id k3BFwtS1091867; Tue, 11 Apr 2006 10:58:55 -0500 (CDT) (envelope-from dan) Date: Tue, 11 Apr 2006 10:58:55 -0500 From: Dan Nelson To: "No@SPAM@mgEDV.net" Message-ID: <20060411155855.GC4297@dan.emsphone.com> References: <443BAE40.9050704@dial.pipex.com> <001301c65d7f$0b9dab70$dededede@avalon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001301c65d7f$0b9dab70$dededede@avalon.lan> X-OS: FreeBSD 5.5-PRERELEASE X-message-flag: Outlook Error User-Agent: Mutt/1.5.11 Cc: freebsd-questions@freebsd.org Subject: Re: upcoming release 6.1: old version of some core components X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 15:58:59 -0000 In the last episode (Apr 11), No@SPAM@mgEDV.net said: > > I can't answer you main question, but I would say that you can bet your > >shirt on the fact that there will be no known security issues in the > > older packages. > > > At least for openssl and openssh you can get latest versions through the > > ports. Not an option for everything -- I see no zlib for example and I > > don't believe there's a standard cvs port either. > > as for zlib i definitely know, that there are 2 security flaws, which > can lead to problems when invalid compressed data is feeded. You sure about that? Patches for both FreeBSD-SA-05:16.zlib and FreeBSD-SA-05:18.zlib were applied to 5.* and 6.* branches as soon as they were announced. Just because it says "1.2.2" doesn't mean "all files are unmodified from the released version". I'd expect the same goes for openssh and openssl. Upgrading zlib on a stable branch is probably fine, but I'd expect that newer openssh/openssl's will have ABI or config file changes that would make upgrading them a pain. Much easier to import new versions to HEAD and back-port only the security fixes. -- Dan Nelson dnelson@allantgroup.com