Date: Mon, 14 Dec 2020 17:02:08 -0800 From: John Baldwin <jhb@FreeBSD.org> To: Konstantin Belousov <kostikbel@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-20:33.openssl Message-ID: <a1fc5273-1632-d12e-4cf0-21d8b48f5f0b@FreeBSD.org> In-Reply-To: <X9gFOOwZgHunS4XS@kib.kiev.ua> References: <20201209230300.03251CA1@freefall.freebsd.org> <20201211064628.GM31099@funkthat.com> <813a04a4-e07a-9608-40a5-cc8e339351eb@FreeBSD.org> <20201213005708.GU31099@funkthat.com> <63bb8800-e756-9b9b-0ec3-8f91097b6738@FreeBSD.org> <X9gFOOwZgHunS4XS@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/14/20 4:37 PM, Konstantin Belousov wrote: > On Mon, Dec 14, 2020 at 11:44:27AM -0800, John Baldwin wrote: >> If we import 3.0.0 into, say, 13.2, then when 13.0/13.1 are EOLd we are >> no longer having to maintain 1.1.1 in 13. If people want to keep older >> applications built on unsupported releases still working without >> recompiling, etc. they will have to manage that themselves. Currently >> we don't support 12.0 on the 12.x branch for example. > What do you mean by 'not supported'? Don't we put large efforts into > keeping ABI backward compatible to allow to run _any_ binary built early ? > The only exception I can think of is that we allow ABI mistakes on HEAD > to be fixed in non-backward compatible way. > > But for 12.0-built binaries, we offer full support. In fact it is the easiest > case, if comparing e.g. with binaries built against older branches. > > It is possible to bump dso version on stable branch, which I believe was > already done several times. In this case, we provided compatXx-<arch> > for stable/X branch, which contiained shared objects with previous versions. So to be clear, my suggestion was precisely to bump the shared library and ship the 1.1.1 libraries in misc/compat13 packages, and while yes, binaries would still work (so be supported in that sense), they would not be supported in the sense of getting SA backports for bugs in the old libssl they are linked against. The cases that suck is if due to library dependencies a process pulls in both libssl.so.X verisons in the same binary. We could use symbol versioning to at least ensure a given DSO always gets the symbols it linked against, but it wouldn't solve the problem of a library returning a SSL * handle to another DSO that is linked against the other version. I do think though that sort of cross-threading is perhaps rarer with libssl than it would be with, say, libc where the malloc/free cross-threading is very common and breaks horribly. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a1fc5273-1632-d12e-4cf0-21d8b48f5f0b>