Date: Mon, 09 Jun 2014 22:06:26 +0300 From: Kimmo Paasiala <kpaasial@icloud.com> To: Jilles Tjoelker <jilles@stack.nl> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:14.openssl Message-ID: <34FF30E8-E9F1-4691-B6EE-9E4E5DDA0AC7@icloud.com> In-Reply-To: <20140608131446.GA4706@stack.nl> References: <201406051316.s55DGtwI041948@freefall.freebsd.org> <20140606043359.GF16618@rwpc15.gfn.riverwillow.net.au> <20140608131446.GA4706@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_11668CD3-D231-46B0-86DE-1577F6CC0D88 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 8.6.2014, at 16.14, Jilles Tjoelker <jilles@stack.nl> wrote: > On Fri, Jun 06, 2014 at 02:33:59PM +1000, John Marshall wrote: >> On Thu, 05 Jun 2014, 13:16 +0000, FreeBSD Security Advisories wrote: >=20 >>> Corrected: >=20 >>> 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) >=20 >>> VI. Correction details >=20 >>> Branch/path = Revision >>> = ------------------------------------------------------------------------- >=20 >>> releng/9.2/ = r267104 >=20 >> I've just src-upgraded a system and expected to see OpenSSL version >> 0.9.8za at the end of it all. I checked the patches and the OpenSSL >> version number wasn't touched. Is this an expected outcome? >=20 >> rwsrv04> uname -v; openssl version >> FreeBSD 9.2-RELEASE-p8 #0 r267130: Fri Jun 6 12:43:09 AEST 2014... >> OpenSSL 0.9.8y 5 Feb 2013 >=20 >> rwsrv04> ls -l /usr/lib/libssl.so.6 >> -r--r--r-- 1 root wheel 304808 6 Jun 13:31 /usr/lib/libssl.so.6 >=20 >> I understand that it was the FreeBSD distribution that was patched = and >> not the OpenSSL distribution, but having the operating system and >> applications reporting a "vulnerable" version of OpenSSL isn't >> reassuring to other folks. >=20 > Yes, this is expected and common practice. >=20 > Perhaps the version number should instead be removed in head given = that > it is not updated for security patches anyway. >=20 > --=20 > Jilles Tjoelker I strongly disagree. There has to be a version number so that no one has = to guess what is base version of the software used. Instead I=92d look = into incorporating the patch level information that is now in =91uname = -r=92 (for example '10.0-RELEASE-p5=92) to various version strings in = the world binaries. -Kimmo --Apple-Mail=_11668CD3-D231-46B0-86DE-1577F6CC0D88 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJTlgW2AAoJEFvLZC0FWRVpRX4H/2GnIfRfgLo8ybHKFzsD9VIt 5x0AxLOvIOCytSaOHDBSipgTNEL0dt37z3nD48WQzKoigFc/dnBo6Tf71cDO0Nss riQVELPtkk9nAqEj3I+9T9ljKzYhglH5Ni0Nhxw9NgA3wdYSt5IEuRZXXXRq7WGY CaQ4oGmDY2/Mpabq1n1PeHWt2JcP4Ca+Dqcc060qrncNxnAPljEg4kiG68n9JRlz XwGcP2o8fhtmzDlhx0lEfZCxz/5I9JwojGeYJVl/9C5IN9seMWSsnm/YUEyQXs3S QsB7EZTedF3Oc1z3zxbEkeDZBDKzk7xLfP19DDMxdtqedxmL0sv6kHORMWjM50Y= =5+CS -----END PGP SIGNATURE----- --Apple-Mail=_11668CD3-D231-46B0-86DE-1577F6CC0D88--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34FF30E8-E9F1-4691-B6EE-9E4E5DDA0AC7>