From owner-freebsd-questions@FreeBSD.ORG Tue Apr 11 20:37:30 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BF6416A402 for ; Tue, 11 Apr 2006 20:37:30 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86E3143D5F for ; Tue, 11 Apr 2006 20:37:28 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 7078C1A4E00; Tue, 11 Apr 2006 13:37:28 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DF07B51559; Tue, 11 Apr 2006 16:37:27 -0400 (EDT) Date: Tue, 11 Apr 2006 16:37:27 -0400 From: Kris Kennaway To: "No@SPAM@mgEDV.net" Message-ID: <20060411203727.GA90177@xor.obsecurity.org> References: <443BAE40.9050704@dial.pipex.com> <001301c65d7f$0b9dab70$dededede@avalon.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline In-Reply-To: <001301c65d7f$0b9dab70$dededede@avalon.lan> User-Agent: Mutt/1.4.2.1i Cc: freebsd-questions@freebsd.org Subject: Re: upcoming release 6.1: old version of some core components X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 20:37:30 -0000 --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 11, 2006 at 05:46:06PM +0200, No@SPAM@mgEDV.net wrote: > =20 > > I can't answer you main question, but I would say that you can bet your= =20 > >shirt on the fact that there will be no known security issues in the=20 > > older packages. >=20 > > At least for openssl and openssh you can get latest versions through th= e=20 > > ports. Not an option for everything -- I see no zlib for example and I= =20 > > don't believe there's a standard cvs port either. >=20 > as for zlib i definitely know, that there are 2 security flaws, which can > lead to problems when invalid compressed data is feeded. Already fixed as soon as they were published. Are there other reasons to upgrade? > my problem also is not the installation of ports/packages/custom compiles, > it's more that the operating system components itself are linked against > these older libraries an therefore will contain bugs, which may have been > already solved. The other side of this is that newer versions are often incompatible (OpenSSL, I'm looking at you), which rules out upgrading the version in a FreeBSD-STABLE branch since it ruins binary compatibility. Kris --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEPBOHWry0BWjoQKURAhwIAKDxEdTMNOixtpSzXFi4NCNbCorAHgCgqRrL x5uW8S0KTP/wrWugbTQQy90= =7g/U -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j--