Date: Tue, 30 Mar 2021 17:02:24 +0100 From: Gary Palmer <gpalmer@freebsd.org> To: Karl Denninger <karl@denninger.net> Cc: freebsd-stable@freebsd.org Subject: Re: possibly silly question regarding freebsd-update Message-ID: <YGNLkDpHtIuaO3xp@in-addr.com> In-Reply-To: <7e96f815-2955-cfd2-cf6d-16187bc5a233@denninger.net> References: <YGMpE5uWvRy8Xdql@cloud.zyxst.net> <aad6ecc5-f6b0-92c5-1acb-e9666760e813@madpilot.net> <7e96f815-2955-cfd2-cf6d-16187bc5a233@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote: > > On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote: > > On 30/03/21 15:35, tech-lists wrote: > > > Hi, > > > > > > Recently there was > > > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html > > > > > > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted. > > > > > > What I'm unsure about is the openssl version. > > > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020 > > > > > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd > > > 25 Mar 2021 > > > > > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well? > > > > > > > No, as you can see in the commit in the official git [1] while for > > current and stable the new upstream version of openssl was imported for > > the release the fix was applied without importing the new release and > > without changing the reported version of the library. > > > > So with 12.2p5 you do get the fix but don't get a new version of the > > library. > > > > > > [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b > > > > > Excuse me.... > > $ uname -v > FreeBSD 12.2-RELEASE-p4 GENERIC > $ sudo sh > # freebsd-update fetch > Looking up update.FreeBSD.org mirrors... 3 mirrors found. > Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org... > done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 12.2-RELEASE-p5. > > I am running 12.2-RELEASE-p4, so says uname -v > > IMHO it is an *extraordinarily* bad practice to change a library that in > fact will result in a revision change while leaving the revision number > alone. > > How do I *know*, without source to go look at, whether or not the fix is > present on a binary system? > > If newvers.sh gets bumped then a build and -p5 release should have resulted > from that, and in turn a fetch/install (and reboot of course since it's in > the kernel) should result in uname -v returning "-p5" > > Most of my deployed "stuff" is on -STABLE but I do have a handful of > machines on cloud infrastructure that are binary-only and on which I rely on > freebsd-update and pkg to keep current with security-related items. What does "freebsd-version -u" report? The fix was only to a userland library, so I would not expect the kernel version as reported by uname to change. Regards, Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YGNLkDpHtIuaO3xp>