possibly silly question regarding freebsd-update

Gary Palmer gpalmer at freebsd.org
Tue Mar 30 16:02:32 UTC 2021


On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote:
> 
> On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:
> > On 30/03/21 15:35, tech-lists wrote:
> > > Hi,
> > > 
> > > Recently there was
> > > https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html
> > > 
> > > about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted.
> > > 
> > > What I'm unsure about is the openssl version.
> > > Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020
> > > 
> > > Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd
> > > 25 Mar 2021
> > > 
> > > shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well?
> > > 
> > 
> > No, as you can see in the commit in the official git [1] while for
> > current and stable the new upstream version of openssl was imported for
> > the release the fix was applied without importing the new release and
> > without changing the reported version of the library.
> > 
> > So with 12.2p5 you do get the fix but don't get a new version of the
> > library.
> > 
> > 
> > [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b
> > 
> > 
> Excuse me....
> 
> $ uname -v
> FreeBSD 12.2-RELEASE-p4 GENERIC
> $ sudo sh
> # freebsd-update fetch
> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
> Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org...
> done.
> Fetching metadata index... done.
> Inspecting system... done.
> Preparing to download files... done.
> 
> No updates needed to update system to 12.2-RELEASE-p5.
> 
> I am running 12.2-RELEASE-p4, so says uname -v
> 
> IMHO it is an *extraordinarily* bad practice to change a library that in
> fact will result in a revision change while leaving the revision number
> alone.
> 
> How do I *know*, without source to go look at, whether or not the fix is
> present on a binary system?
> 
> If newvers.sh gets bumped then a build and -p5 release should have resulted
> from that, and in turn a fetch/install (and reboot of course since it's in
> the kernel) should result in uname -v returning "-p5"
> 
> Most of my deployed "stuff" is on -STABLE but I do have a handful of
> machines on cloud infrastructure that are binary-only and on which I rely on
> freebsd-update and pkg to keep current with security-related items.

What does "freebsd-version -u" report?  The fix was only to a userland
library, so I would not expect the kernel version as reported by uname
to change.

Regards,

Gary


More information about the freebsd-stable mailing list