Date: Fri, 11 Apr 2014 13:03:05 +0400 From: Eygene Ryabinkin <rea@freebsd.org> To: d@delphij.net Cc: Ben Laurie <benl@freebsd.org>, Thierry Thomas <thierry@FreeBSD.org>, Bryan Drewery <bdrewery@FreeBSD.org>, freebsd-security@FreeBSD.ORG Subject: Re: Heartbleed / r264266 / openssl version Message-ID: <F9eKYGw/CPZ8pqTnoFTcCX8VWFM@DNCjBQ0OuJ6NIRuXBT5yrvdcuOs> In-Reply-To: <53447C81.6040106@delphij.net> References: <20140408212917.GA9914@graf.pompo.net> <53447C81.6040106@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--fKov5AqTsvseSZ0Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Tue, Apr 08, 2014 at 03:47:29PM -0700, Xin Li wrote: > I have done a quick check on Linux systems and found they don't carry > a patchlevel for "openssl" either however they do provide a way to > tell the patchlevel because it's a package. However, they do bump the > date as part of the update. >=20 > What would be the preferable way of representing the patchlevel? We > can do it as part of a EN batch at later time. (Note though, even > without this the user or an application can still use > freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the > patchlevel for userland). I'd say that it will be good for admins to have just run 'openssl version' to determine which additional patches were applied. Since the current output is 'OpenSSL 1.0.1g-freebsd 7 Apr 2014', we probably can add the list of patches to the end of the string, e.g. making it to be {{{ OpenSSL 1.0.1g-freebsd 7 Apr 2014 patches: FreeBSD SA-14:06, CVE-20XX-NNN, = etc }}} Probably this won't break most users of 'openssl version' output and will give immediate visibility of which additional patches are applied on top of the vendor source. Another option will be to add an extra command-line flag to 'openssl version', but this will be rather non-standard and FreeBSD-specific. More sane option will be to introduce another line into output of 'openssl version -a' and telling people to analyze it. My 2 cents. --=20 Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ] --fKov5AqTsvseSZ0Z Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iL4EABEKAGYFAlNHr8lfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDgyRkUwNkJDRDQ5N0MwREU0OUVDNEZGMDE2 QUY5RUFFODE1MkVDRkIACgkQFq+eroFS7PvudAD/fWY6LCvh6CMF1uC4wLNaoLFG xzC1iLT/Bw4NIAhD5L4A/25dIUTmbCYox0C2ZHLs+lRQY5sRXeUtqSaSEzJJHr6S =gYuG -----END PGP SIGNATURE----- --fKov5AqTsvseSZ0Z--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F9eKYGw/CPZ8pqTnoFTcCX8VWFM>