System based openssl
jason.unovitch at gmail.com
Mon Mar 30 22:39:59 UTC 2015
On Sat, Mar 28, 2015 at 4:02 PM, Michael Powell <nightrecon at hotmail.com> wrote:
> Subscriber wrote:
>> Witch version of system based OpenSSL last for FreeBSD 10.1?
>> I have # uname -srm
>> FreeBSD 10.1-RELEASE-p8 amd64
>> # freebsd-version -ku
>> # /usr/bin/openssl version
>> OpenSSL 1.0.1l-freebsd 15 Jan 2015
> This is correct. This is what is currently in the system base.
>> But openssl.org says the last version OpenSSL in 1.0.1 tree is 1.0.1m
> This would have to be imported into the system base. This involves developer
> time and effort. It is not quite trivial.
> There is also a newer OpenSSL in the ports tree. Version 1.0.2 if memory
> serves. I have seen bugs and problem reports filed against the 1.0.2 so I
> would be hesitant to just blindly 'install the port version' simply because
> it's newer.
> The FreeBSD devs do a pretty fair job at vetting what gets into the system
> base, and the resulting maintenance issues which arise from time to time.
> Trying to "outsmart" ones self with the delusion that I know more than they
> do is how many go about creating their own problems.
Just to be clear, the version number doesn't tell the whole story when
it comes to security updates. Security updates change the minimum to
fix the issue and version number is not part of the change.
Introducing new versions means new features and more possibility for a
fix to cause new bugs. If you look through the security advisories
page and what they change, you'll see what I mean.
With that said, with any rule there seems to be some exception
somewhere. An errata notice to bump OpenSSL versions has happened in
the recent past. The reasons for the bump are explained in the
Bottom line, keep the OS up to date first and you'll be fine.
>> No OpenSSL files available during freebsd-update:
>> # freebsd-update fetch
>> Looking up update.FreeBSD.org mirrors... 5 mirrors found.
>> Fetching metadata signature for 10.1-RELEASE from update4.freebsd.org...
>> done. Fetching metadata index... done.
>> Inspecting system... done.
>> Preparing to download files... done.
>> The following files will be updated as part of updating to
>> 10.1-RELEASE-p8: /boot/kernel/kernel
>> What is wrong?
> My first impression is nothing is wrong. You have what you're supposed to
> have. Other than that, I have never used freebsd-update so can't speak to
> anything relevant to that.
Your uname -srm shows 10.1-RELEASE-p8 while 10.1-RELEASE-p6 would be
the kernel distributed by freebsd-update. The updates after that were
not kernel related. Do you have custom kernel? If so, removing the
'kernel' from the components line in /etc/freebsd-update.conf may be
warranted to prevent what's happening here.
More information about the freebsd-questions