possibly silly question regarding freebsd-update
Karl Denninger
karl at denninger.net
Tue Mar 30 15:55:27 UTC 2021
On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:
> On 30/03/21 15:35, tech-lists wrote:
>> Hi,
>>
>> Recently there was
>> https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html
>>
>> about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted.
>>
>> What I'm unsure about is the openssl version.
>> Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd 22 Sep 2020
>>
>> Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd
>> 25 Mar 2021
>>
>> shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well?
>>
>
> No, as you can see in the commit in the official git [1] while for
> current and stable the new upstream version of openssl was imported
> for the release the fix was applied without importing the new release
> and without changing the reported version of the library.
>
> So with 12.2p5 you do get the fix but don't get a new version of the
> library.
>
>
> [1]
> https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b
>
>
Excuse me....
$ uname -v
FreeBSD 12.2-RELEASE-p4 GENERIC
$ sudo sh
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org...
done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 12.2-RELEASE-p5.
I am running 12.2-RELEASE-p4, so says uname -v
IMHO it is an *extraordinarily* bad practice to change a library that in
fact will result in a revision change while leaving the revision number
alone.
How do I *know*, without source to go look at, whether or not the fix is
present on a binary system?
If newvers.sh gets bumped then a build and -p5 release should have
resulted from that, and in turn a fetch/install (and reboot of course
since it's in the kernel) should result in uname -v returning "-p5"
Most of my deployed "stuff" is on -STABLE but I do have a handful of
machines on cloud infrastructure that are binary-only and on which I
rely on freebsd-update and pkg to keep current with security-related items.
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/630c42db/attachment-0001.bin>
More information about the freebsd-stable
mailing list