From owner-freebsd-security@FreeBSD.ORG  Fri Apr 11 09:03:10 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 369BC95;
 Fri, 11 Apr 2014 09:03:10 +0000 (UTC)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.233.71])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CB1981B0B;
 Fri, 11 Apr 2014 09:03:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codelabs.ru;
 s=three; 
 h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date;
 bh=Pz2y1Aw4PfEQcnznsy28ozDPG1n0D8E+Snmz3EM2C2k=; 
 b=pjfjdpM84SkfpSdGaODrSLNe93tNVAD2sXpqTiMGQbbJUFxFtu6Jp59H4SJGliv210C7zpRwCCjslE5PCtdy8O6HY+BYeSj7KCbQuhLxQsbGZ96voXG1IUPSO0vUe0XsO3Ia3riTXIYlzvCwhTre33o+lsPCX+fCr7Vhkfc16HjPSL7lgqDXn3inJSmNKB77AspFIFcA1uUhOhoile0L65lHNzQKYDRZctrxG6w/6FgYnmqO1uAzWN5Qb8IIuKGYacNBFHXzzwnfaFh2Z1iW61aDwyoZVfh4d0oRqy9a80HL4VonriuJWd/hnfiI+/jMGa5pMnTGTS1ixNKurU7MmmRQQJRKW7O7fidvLwq2YHzPTuiGfIHsefsDoFRX0YKJUFHInp/onipJqCe5AvNbtKdIE8jSO8XT/NVfXv+TP166oZmqOcjQZNgjk62LmhfhwCEjUARKr6484nNDQUO/2w2J8IBQwOX0aTdqXghDNhw97xxL772wRAX3orydpcpm7vDRzoO+Wwfwm5ROH46y8BkurZCSKfTT4rz2+b7nsWt6rRZHrvYDmFJSFOHKiClG88LXl133uBfuTwqdxlHbE12n55OsQVS0WZoB337Hb/H8pUimhcAZChxbjVgsWvMRedPdLTlP+s00KA7DL5Q0xkBNud9Zah4299x2yxjoqxQ=;
Received: from void.codelabs.ru (void.codelabs.ru [144.206.233.66])
 by 0.mx.codelabs.ru with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
 id 1WYXMZ-0001hU-OV; Fri, 11 Apr 2014 13:03:07 +0400
Date: Fri, 11 Apr 2014 13:03:05 +0400
From: Eygene Ryabinkin <rea@freebsd.org>
To: d@delphij.net
Subject: Re: Heartbleed / r264266 / openssl version
Message-ID: <F9eKYGw/CPZ8pqTnoFTcCX8VWFM@DNCjBQ0OuJ6NIRuXBT5yrvdcuOs>
References: <20140408212917.GA9914@graf.pompo.net>
 <53447C81.6040106@delphij.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="fKov5AqTsvseSZ0Z"
Content-Disposition: inline
In-Reply-To: <53447C81.6040106@delphij.net>
Sender: rea@codelabs.ru
Cc: Ben Laurie <benl@freebsd.org>, Thierry Thomas <thierry@FreeBSD.org>,
 Bryan Drewery <bdrewery@FreeBSD.org>, freebsd-security@FreeBSD.ORG
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Apr 2014 09:03:10 -0000


--fKov5AqTsvseSZ0Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Tue, Apr 08, 2014 at 03:47:29PM -0700, Xin Li wrote:
> I have done a quick check on Linux systems and found they don't carry
> a patchlevel for "openssl" either however they do provide a way to
> tell the patchlevel because it's a package.  However, they do bump the
> date as part of the update.
>=20
> What would be the preferable way of representing the patchlevel?  We
> can do it as part of a EN batch at later time.  (Note though, even
> without this the user or an application can still use
> freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the
> patchlevel for userland).

I'd say that it will be good for admins to have just run 'openssl version'
to determine which additional patches were applied.  Since the current
output is 'OpenSSL 1.0.1g-freebsd 7 Apr 2014', we probably can add the list
of patches to the end of the string, e.g. making it to be
{{{
OpenSSL 1.0.1g-freebsd 7 Apr 2014 patches: FreeBSD SA-14:06, CVE-20XX-NNN, =
etc
}}}

Probably this won't break most users of 'openssl version' output and
will give immediate visibility of which additional patches are applied
on top of the vendor source.

Another option will be to add an extra command-line flag to 'openssl
version', but this will be rather non-standard and FreeBSD-specific.

More sane option will be to introduce another line into output of
'openssl version -a' and telling people to analyze it.

My 2 cents.
--=20
Eygene Ryabinkin                                        ,,,^..^,,,
[ Life's unfair - but root password helps!           | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]

--fKov5AqTsvseSZ0Z
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iL4EABEKAGYFAlNHr8lfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDgyRkUwNkJDRDQ5N0MwREU0OUVDNEZGMDE2
QUY5RUFFODE1MkVDRkIACgkQFq+eroFS7PvudAD/fWY6LCvh6CMF1uC4wLNaoLFG
xzC1iLT/Bw4NIAhD5L4A/25dIUTmbCYox0C2ZHLs+lRQY5sRXeUtqSaSEzJJHr6S
=gYuG
-----END PGP SIGNATURE-----

--fKov5AqTsvseSZ0Z--