Date: Mon, 09 Jun 2014 22:06:26 +0300 From: Kimmo Paasiala <kpaasial@icloud.com> To: Jilles Tjoelker <jilles@stack.nl> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl Message-ID: <34FF30E8-E9F1-4691-B6EE-9E4E5DDA0AC7@icloud.com> In-Reply-To: <20140608131446.GA4706@stack.nl> References: <201406051316.s55DGtwI041948@freefall.freebsd.org> <20140606043359.GF16618@rwpc15.gfn.riverwillow.net.au> <20140608131446.GA4706@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 8.6.2014, at 16.14, Jilles Tjoelker <jilles@stack.nl> wrote: > On Fri, Jun 06, 2014 at 02:33:59PM +1000, John Marshall wrote: >> On Thu, 05 Jun 2014, 13:16 +0000, FreeBSD Security Advisories wrote: > >>> Corrected: > >>> 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) > >>> VI. Correction details > >>> Branch/path Revision >>> ------------------------------------------------------------------------- > >>> releng/9.2/ r267104 > >> I've just src-upgraded a system and expected to see OpenSSL version >> 0.9.8za at the end of it all. I checked the patches and the OpenSSL >> version number wasn't touched. Is this an expected outcome? > >> rwsrv04> uname -v; openssl version >> FreeBSD 9.2-RELEASE-p8 #0 r267130: Fri Jun 6 12:43:09 AEST 2014... >> OpenSSL 0.9.8y 5 Feb 2013 > >> rwsrv04> ls -l /usr/lib/libssl.so.6 >> -r--r--r-- 1 root wheel 304808 6 Jun 13:31 /usr/lib/libssl.so.6 > >> I understand that it was the FreeBSD distribution that was patched and >> not the OpenSSL distribution, but having the operating system and >> applications reporting a "vulnerable" version of OpenSSL isn't >> reassuring to other folks. > > Yes, this is expected and common practice. > > Perhaps the version number should instead be removed in head given that > it is not updated for security patches anyway. > > -- > Jilles Tjoelker I strongly disagree. There has to be a version number so that no one has to guess what is base version of the software used. Instead I’d look into incorporating the patch level information that is now in ‘uname -r’ (for example '10.0-RELEASE-p5’) to various version strings in the world binaries. -Kimmo [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJTlgW2AAoJEFvLZC0FWRVpRX4H/2GnIfRfgLo8ybHKFzsD9VIt 5x0AxLOvIOCytSaOHDBSipgTNEL0dt37z3nD48WQzKoigFc/dnBo6Tf71cDO0Nss riQVELPtkk9nAqEj3I+9T9ljKzYhglH5Ni0Nhxw9NgA3wdYSt5IEuRZXXXRq7WGY CaQ4oGmDY2/Mpabq1n1PeHWt2JcP4Ca+Dqcc060qrncNxnAPljEg4kiG68n9JRlz XwGcP2o8fhtmzDlhx0lEfZCxz/5I9JwojGeYJVl/9C5IN9seMWSsnm/YUEyQXs3S QsB7EZTedF3Oc1z3zxbEkeDZBDKzk7xLfP19DDMxdtqedxmL0sv6kHORMWjM50Y= =5+CS -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34FF30E8-E9F1-4691-B6EE-9E4E5DDA0AC7>