FreeBSD Mail Archives

Date:      Tue, 30 Mar 2021 12:07:41 -0400
From:      Karl Denninger <karl@denninger.net>
To:        Gary Palmer <gpalmer@freebsd.org>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: possibly silly question regarding freebsd-update
Message-ID:  <c16bfed1-52bb-560c-c73f-1edd0c1f876e@denninger.net>
In-Reply-To: <YGNLkDpHtIuaO3xp@in-addr.com>
References:  <YGMpE5uWvRy8Xdql@cloud.zyxst.net> <aad6ecc5-f6b0-92c5-1acb-e9666760e813@madpilot.net> <7e96f815-2955-cfd2-cf6d-16187bc5a233@denninger.net> <YGNLkDpHtIuaO3xp@in-addr.com>

index | next in thread | previous in thread | raw e-mail


[-- Attachment #1 --]
On 3/30/2021 12:02, Gary Palmer wrote:
> On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote:
>> On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:
>>> On 30/03/21 15:35, tech-lists wrote:
>>>> Hi,
>>>>
>>>> Recently there was
>>>> https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html
>>>>
>>>> about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted.
>>>>
>>>> What I'm unsure about is the openssl version.
>>>> Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020
>>>>
>>>> Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd
>>>> 25 Mar 2021
>>>>
>>>> shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well?
>>>>
>>> No, as you can see in the commit in the official git [1] while for
>>> current and stable the new upstream version of openssl was imported for
>>> the release the fix was applied without importing the new release and
>>> without changing the reported version of the library.
>>>
>>> So with 12.2p5 you do get the fix but don't get a new version of the
>>> library.
>>>
>>>
>>> [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b
>>>
>>>
>> Excuse me....
>>
>> $ uname -v
>> FreeBSD 12.2-RELEASE-p4 GENERIC
>> $ sudo sh
>> # freebsd-update fetch
>> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
>> Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org...
>> done.
>> Fetching metadata index... done.
>> Inspecting system... done.
>> Preparing to download files... done.
>>
>> No updates needed to update system to 12.2-RELEASE-p5.
>>
>> I am running 12.2-RELEASE-p4, so says uname -v
>>
>> IMHO it is an *extraordinarily* bad practice to change a library that in
>> fact will result in a revision change while leaving the revision number
>> alone.
>>
>> How do I *know*, without source to go look at, whether or not the fix is
>> present on a binary system?
>>
>> If newvers.sh gets bumped then a build and -p5 release should have resulted
>> from that, and in turn a fetch/install (and reboot of course since it's in
>> the kernel) should result in uname -v returning "-p5"
>>
>> Most of my deployed "stuff" is on -STABLE but I do have a handful of
>> machines on cloud infrastructure that are binary-only and on which I rely on
>> freebsd-update and pkg to keep current with security-related items.
> What does "freebsd-version -u" report?  The fix was only to a userland
> library, so I would not expect the kernel version as reported by uname
> to change.
>
> Regards,
>
> Gary

Ok, that's fair; it DOES show -p5 for the user side.

$ freebsd-version -ru
12.2-RELEASE-p4
12.2-RELEASE-p5

So that says my userland is -p5 while the kernel, which did not change 
(even though if you built from source it would carry the -p5 number) is -p4.

I can live with that as it allows me to "see" that indeed the revision 
is present without having source on the box.

I recognize that this is probably a reasonably-infrequent thing but it 
certainly is one that for people running binary releases is likely quite 
important given that the issue is in the openssl libraries.  It was 
enough for me to rebuild all the firewall machines the other day since a 
DOS (which is reasonably possible for one of the flaws) aimed at my VPN 
server causing the server process to exit would be...... bad.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��
��0�10
	`�He0�	*�H��
��
�0��0����H���^��Ōc!5�
�H0
	*�H��
0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA0
170817164217Z
270815164217Z0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0�"0
	*�H��
�0�
��h�-5B>[���;��o���l�Ӵ��0~͎O9}�9�Y��e������*�������$��g��!uk�vʶ�LzN�`jL�>��MD'7U4����5C�B�+�kY`bd����~b*�c3�N��y-�78j�u�]9H�e��uέ�sӬD��ؽ�m��gw�ER�?�&U�UR�j����'�}�9n�WD i�`XcbG��z�\g������G=��u�%���\�O�i1���3���ߝ4�
�K4�4p�YQr]�Ie�/r�0+��eEޝݖ0��C15�M��ݚ@J�SZ(zȏ�N�Ta�(2��5�D�D5���.l�<g[[Za��r�Q�Q%�Bu�ȴ����~~`���I�oh�R�b����ʳ��ڟ���u�2���M�S��8E�dF��UC���l�CM�aѳ����!����}ș�+�2��k��/�bų�E,��n�当ꖛ\�(8�WV�8	d]�b�	�������y�X��w	܊�:I�39��
0�0U]�^§������Q�\ӎ�0��U#��0�����T0�3���9�N0b������0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA�	�@�U��i0U�0�0U��0
	*�H��
���:P U!>v�����J�ni��o�-����#�ן�]Wyu�j���ǑR̀��Q�
�nƇ�!GѦF��g\�yLx�g�w=�O�P��yceh�f[���}�ܷ�['4�ڝ�\[p6\o.��B&�JF���"�ZC{;�*o�*�mc��Cc�LY߾�`
�t�*�S!����񫶭�(���`�]D�HP�5���A~/�N���Pp�����6�=�m��h�k�밣'd���oA$�86hm����5���Ӛ��S@�j���ެE���gl��
�)�0JG���`%�k�3�5��P��a��C?���σ
׳HE�t}!�P���㏏%*���B�xb��Q�waKG����$6h�¦��M�v��e;��[o��-�Iی��&
���I,��T��c�ߎ#t �wPA�@��l0�P�+�KXB��պT	z���G�v;N��c��I3��&��JĬ���UP�N��a��?�/�%�W��6G۟N�0�00����k���#X��d��\�=0
	*�H��
0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W10	UUS10UFlorida10U
Cuda Systems LLC10Ukarl@denninger.net0�"0
	*�H��
�0�
��T��[I�-ΆϏdn;�Å�@שy���.u�s�~_�Z�G%<��M��Y��d�\g��v�f��n�s�a��1'6����E�gyjs�"C� [�{��~��_���K���Pn+<�*�pv���#Q�����+��H���/���7[-v��qD��V^U>�f��%�GX�)��H.��|l`�M(C�r�>е͇6����#�o��dc"Y�ljҦ�ln8�@�5S�A�0���&ۖ"���OGj?��U��DWZ5	��dDB7k-)�9�����I�zs��-�JA���v
��J��6L���$�Ն����1Sm�Y.��Lqw*��SH;E��F'�D�Ħ��H��]��M��O��������g���Q���Q�|M�ٙ��ג2Z��9y��@���y�]}6ٽe��Y9��Y2�xˆ�$T�=�e�CǺ��ǵb�n֛�{��j��|��@�LL�t�1�[D�k5:$=�	`�	�M���0��0<+00.0,+0� http://ocsp.cudasystems.net:88880	U00	`�H��B�0U��0U%0++03	`�H��B
&$OpenSSL Generated Client Certificate0U�%�՞V=���؁�;�bzQ0��U#��0���]�^§������Q�\ӎϡ�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA��H���^��Ōc!5�
�H0U0�karl@denninger.net0
	*�H��
��۠�A0�-j%-�-$%���g2#ޡ��1�^��>���{K+�u��GE���v1���ş7Af&b�&O�;.��;A5���*U��)N��D2bF��|\=�]<�sˋL!��wrw���٧>��Y���M���Ä���3\mW�R�� h�Sv���!�_�zv�����l�?� ��3_�� �xU%�\�^����#���O*���Gk̍�YI_�&�Fꊛ�����@&�1�n�������}� ͬ:��{�hT�P3��B.�;���bU�8:Z��=^���Gw�8���!k-��@���x�E��@�i�,+'�Iᐚ:f��hz�tX7/�(h�Y`��� O�.������1}a`�%�RW��^�a�k������ǂp�C�Au�fgDix�UT��Щ/�7��}�%=j��nVZvcF����<�M=
�2^G�KH5魉
�_���O�4ެ�Byʈ���y��S��k�w=5�@h�.0�z�>�
W�1�0�0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	`�He��E0	*�H��
	1	*�H��
0	*�H��
	1
210330160742Z0O	*�H��
	1B@oT'�]��>�����8B#zʀ��g��z����b�Q�)S?.�%�1��l
�_^�C4�I0�W0l	*�H��
	1_0]0	`�He*0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0��*�H��
	1�����0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	*�H��
�G�
�����4&�r@�SuI-[�����s)��
�<�l�,����)�B��o�34k�$p��2&B�Uۓ�ڥd?���L+O����;����PAs>��9��ǀ�3�%�pe��̴,#iP����w�|.����)i�.�@�\B��V����j����׎�Hv�)�`.	ټՈ�x]��7���
j�PPz[j�'�Ģ����I(�{͢���:��bL6ܸ�]���Q(ϋ�@�T�zGb�SPKG ��;�޽���]��^���<d=Y4Y���``��	O���b�K�ſ�-�p�.�DE��eWvSڮ2���/� 0�IK��E$�WA;�
��k��r�
M���gгN΋I��&1���~�\�V]8�"z��jlt�[y�c!�b��ҥM�+5}xmW����|~f`_��<y�Ӆ$;d�/��<,�����R�\�h��~8rP�ڀA���Жj-�M�
?��^e$�l)t���#��pO��m|

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c16bfed1-52bb-560c-c73f-1edd0c1f876e>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation