From owner-svn-src-head@FreeBSD.ORG Wed Apr 9 16:08:13 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 641D0621; Wed, 9 Apr 2014 16:08:13 +0000 (UTC) Received: from ppsw-50.csi.cam.ac.uk (ppsw-50-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BD741BCD; Wed, 9 Apr 2014 16:08:12 +0000 (UTC) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from cpc14-cmbg15-2-0-cust307.5-4.cable.virginm.net ([82.26.1.52]:59678 helo=[192.168.0.100]) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpsa (PLAIN:dc552) (TLSv1:AES128-SHA:128) id 1WXv2o-0005ER-rQ (Exim 4.82_3-c0e5623) (return-path ); Wed, 09 Apr 2014 17:08:10 +0100 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: svn commit: r264265 - in head: crypto/openssl/crypto/bn crypto/openssl/crypto/ec crypto/openssl/ssl sys/fs/nfsserver From: David Chisnall In-Reply-To: <534556EB.5080700@FreeBSD.org> Date: Wed, 9 Apr 2014 17:08:09 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <323CC215-6DA6-4C8F-A5DA-72C3CB76566A@cl.cam.ac.uk> References: <201404081827.s38IRXiL048987@svn.freebsd.org> <86bnwa7gav.fsf@nine.des.no> <534556EB.5080700@FreeBSD.org> To: koobs@FreeBSD.org, Kubilay Kocak X-Mailer: Apple Mail (2.1874) Sender: "Dr D. Chisnall" Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, Bryan Drewery , Xin LI , secteam@FreeBSD.org, svn-src-head@freebsd.org, =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 16:08:13 -0000 On 9 Apr 2014, at 15:19, Kubilay Kocak wrote: > That expectation is orthogonal to whether we or other projects do it = one > way or another. RHEL users may well be as confused as ours (whether of > not ours are). It may be relevant as a data point, but not for = decision > making. I can confirm that, as a user (albeit a slightly sleep-deprived one at = the time) I was confused. I believe that I'm now running the correct = version, as my libssl.so has a creation date of yesterday, but I don't = have a good way of verifying it. It would be great for future security advisories to have a 'how to tell = if you're affected' and 'how to tell if you're patched' section. I noticed that freebsd-update told me (after the fetch phase) that I = should rebuild all third-party software. I have been following the = instructions that we give to users and not building most software on = that machine myself. I don't know if there are any packages that = statically link to libssl.a (or even if we have a mechanism for = determining that), but I'd hope that these would get separate VuXML = reports for pkg audit to pick up. =20 David