Date: Mon, 30 Mar 2015 18:39:57 -0400 From: Jason Unovitch <jason.unovitch@gmail.com> To: nightrecon@hotmail.com Cc: freebsd-questions@freebsd.org Subject: Re: System based openssl Message-ID: <CABW2x9oni=d8nmEZn2z3dw4uV%2B3JLFnGMvPhfKW8AGFKx3g6%2Bw@mail.gmail.com> In-Reply-To: <mf71cl$s6u$1@ger.gmane.org> References: <1912673295.20150327152451@agoris.net.ua> <mf71cl$s6u$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 28, 2015 at 4:02 PM, Michael Powell <nightrecon@hotmail.com> wrote: > Subscriber wrote: > >> >> Hi. >> Witch version of system based OpenSSL last for FreeBSD 10.1? >> >> I have # uname -srm >> FreeBSD 10.1-RELEASE-p8 amd64 >> >> # freebsd-version -ku >> 10.1-RELEASE-p8 >> 10.1-RELEASE-p8 >> >> # /usr/bin/openssl version >> OpenSSL 1.0.1l-freebsd 15 Jan 2015 > > This is correct. This is what is currently in the system base. > >> But openssl.org says the last version OpenSSL in 1.0.1 tree is 1.0.1m >> (19-Mar-2015) > > This would have to be imported into the system base. This involves developer > time and effort. It is not quite trivial. > > There is also a newer OpenSSL in the ports tree. Version 1.0.2 if memory > serves. I have seen bugs and problem reports filed against the 1.0.2 so I > would be hesitant to just blindly 'install the port version' simply because > it's newer. > > The FreeBSD devs do a pretty fair job at vetting what gets into the system > base, and the resulting maintenance issues which arise from time to time. > Trying to "outsmart" ones self with the delusion that I know more than they > do is how many go about creating their own problems. > Just to be clear, the version number doesn't tell the whole story when it comes to security updates. Security updates change the minimum to fix the issue and version number is not part of the change. Introducing new versions means new features and more possibility for a fix to cause new bugs. If you look through the security advisories page and what they change, you'll see what I mean. https://www.freebsd.org/security/advisories.html With that said, with any rule there seems to be some exception somewhere. An errata notice to bump OpenSSL versions has happened in the recent past. The reasons for the bump are explained in the advisory. https://www.freebsd.org/security/advisories/FreeBSD-EN-15:02.openssl.asc Bottom line, keep the OS up to date first and you'll be fine. >> No OpenSSL files available during freebsd-update: >> # freebsd-update fetch >> Looking up update.FreeBSD.org mirrors... 5 mirrors found. >> Fetching metadata signature for 10.1-RELEASE from update4.freebsd.org... >> done. Fetching metadata index... done. >> Inspecting system... done. >> Preparing to download files... done. >> >> The following files will be updated as part of updating to >> 10.1-RELEASE-p8: /boot/kernel/kernel >> >> What is wrong? >> Thx. > > My first impression is nothing is wrong. You have what you're supposed to > have. Other than that, I have never used freebsd-update so can't speak to > anything relevant to that. > > -Mike Your uname -srm shows 10.1-RELEASE-p8 while 10.1-RELEASE-p6 would be the kernel distributed by freebsd-update. The updates after that were not kernel related. Do you have custom kernel? If so, removing the 'kernel' from the components line in /etc/freebsd-update.conf may be warranted to prevent what's happening here. -Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABW2x9oni=d8nmEZn2z3dw4uV%2B3JLFnGMvPhfKW8AGFKx3g6%2Bw>