Heartbleed / r264266 / openssl version
Eygene Ryabinkin
rea at freebsd.org
Fri Apr 11 09:03:10 UTC 2014
Tue, Apr 08, 2014 at 03:47:29PM -0700, Xin Li wrote:
> I have done a quick check on Linux systems and found they don't carry
> a patchlevel for "openssl" either however they do provide a way to
> tell the patchlevel because it's a package. However, they do bump the
> date as part of the update.
>
> What would be the preferable way of representing the patchlevel? We
> can do it as part of a EN batch at later time. (Note though, even
> without this the user or an application can still use
> freebsd-version(1) on FreeBSD 10.0-RELEASE and up to find out the
> patchlevel for userland).
I'd say that it will be good for admins to have just run 'openssl version'
to determine which additional patches were applied. Since the current
output is 'OpenSSL 1.0.1g-freebsd 7 Apr 2014', we probably can add the list
of patches to the end of the string, e.g. making it to be
{{{
OpenSSL 1.0.1g-freebsd 7 Apr 2014 patches: FreeBSD SA-14:06, CVE-20XX-NNN, etc
}}}
Probably this won't break most users of 'openssl version' output and
will give immediate visibility of which additional patches are applied
on top of the vendor source.
Another option will be to add an extra command-line flag to 'openssl
version', but this will be rather non-standard and FreeBSD-specific.
More sane option will be to introduce another line into output of
'openssl version -a' and telling people to analyze it.
My 2 cents.
--
Eygene Ryabinkin ,,,^..^,,,
[ Life's unfair - but root password helps! | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140411/1e5e01ea/attachment.sig>
More information about the freebsd-security
mailing list