Date: Sat, 18 Feb 2023 16:04:20 -0800 From: Mark Millard <marklmi@yahoo.com> To: void <void@f-m.fm> Cc: freebsd-arm@freebsd.org Subject: Re: freebsd-update confusion Message-ID: <FF4E1AA5-ADC9-4478-A56B-297884D731FC@yahoo.com> In-Reply-To: <Y/FZ7A1Uzd4y602A@int21h> References: <Y/FI9NAuioJVU0WB@int21h> <Y/FNJkXgYgXwWTMy@mail.bsd4all.net> <Y/FZ7A1Uzd4y602A@int21h>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 18, 2023, at 15:06, void <void@f-m.fm> wrote: > Hello Herbert, > > On Sat, Feb 18, 2023 at 11:11:50PM +0100, Herbert J. Skuhra wrote: >> On Sat, Feb 18, 2023 at 09:53:56PM +0000, void wrote: >>> In https://lists.freebsd.org/archives/freebsd-security/2023-February/000146.html >>> there's an SA for openssl. >>> >>> If I upgrade (buildworld etc) on an amd box, it gets: >>> >>> % openssl version >>> OpenSSL 1.1.1t-freebsd 7 Feb 2023 >>> >>> (as expected) >> >> This is either stable/13, releng/13.2 or main where openssl was updated >> to version OpenSSL 1.1.1t. >> >>> If freebsd-update is run on a 13.1-R arm64 machine, installed updates then >>> rebooted, it gets: >>> >>> $ openssl version >>> OpenSSL 1.1.1o-freebsd 3 May 2022 >>> >>> ??? >>> >>> The freebsd-update was run about 10 mins ago (feb 18th 1821 UTC) >> >> This is releng/13.1 where openssl is still OpenSSL 1.1.1o; only security >> fixes were applied. > > This is the bit that was confusing me. I thought 1.1.1t was with the security fixes. OpenSSL 1.1.1o was patched to remove the problems. That does not produce 1.1.1t as a result. >> You will get OpenSSL 1.1.1t after upgrading to >> 13.2-RELEASE (expected to be released next month). > > https://lists.freebsd.org/archives/freebsd-security/2023-February/000146.html has this: > > Corrected: 2023-02-07 22:38:40 UTC (stable/13, 13.1-STABLE) > 2023-02-16 17:58:13 UTC (releng/13.1, 13.1-RELEASE-p7) > 2023-02-07 23:09:41 UTC (stable/12, 12.4-STABLE) > 2023-02-16 18:04:12 UTC (releng/12.4, 12.4-RELEASE-p2) > 2023-02-16 18:03:37 UTC (releng/12.3, 12.3-RELEASE-p12) > > So, if I'm understanding you correctly, none of those releases indicated above > would go to 1.1.1t ? Same point for 13.1-RELEASE-p7 here: OpenSSL 1.1.1o was patched to remove the problems. That does not produce 1.1.1t as a result. >> What's the output of 'freebsd-version -kru'? It will tell you if your >> system is up-to-date. > > % freebsd-version -kru > 13.1-RELEASE-p6 > 13.1-RELEASE-p6 > 13.1-RELEASE-p7 That last indicates that you have the patched OpenSSL 1.1.1o in the world (user space). > It's really kind of opaque (to me) that openssl version is '1.1.1o-freebsd 3 May 2022' *after* the update has been applied. If it was something like '1.1.1o-freebsd-p1 16 Feb 2023', I'd feel a bit better, because as it stands, it looks like, on the face of it, that openssl hasn't > been patched. Otherwise wouldn't the versioning info change in some respect, to > indicate that it had? The output of the openssl command likely is just as upstream has defined it, it not being directly a FreeBSD thing. The patches to the openssl source were likely also from upstream. === Mark Millard marklmi at yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FF4E1AA5-ADC9-4478-A56B-297884D731FC>