possibly silly question regarding freebsd-update

[Karl Denninger]

On 3/30/2021 12:02, Gary Palmer wrote:
> On Tue, Mar 30, 2021 at 11:55:24AM -0400, Karl Denninger wrote:
>> On 3/30/2021 11:22, Guido Falsi via freebsd-stable wrote:
>>> On 30/03/21 15:35, tech-lists wrote:
>>>> Hi,
>>>>
>>>> Recently there was
>>>> https://lists.freebsd.org/pipermail/freebsd-security/2021-March/010380.html
>>>>
>>>> about openssl. Upgraded to 12.2-p5 with freebsd-update and rebooted.
>>>>
>>>> What I'm unsure about is the openssl version.
>>>> Up-to-date 12.1-p5 instances report OpenSSL 1.1.1h-freebsd? 22 Sep 2020
>>>>
>>>> Up-to-date stable/13-n245043-7590d7800c4 reports OpenSSL 1.1.1k-freebsd
>>>> 25 Mar 2021
>>>>
>>>> shouldn't the 12.2-p5 be reporting openssl 1.1.1k-freebsd as well?
>>>>
>>> No, as you can see in the commit in the official git [1] while for
>>> current and stable the new upstream version of openssl was imported for
>>> the release the fix was applied without importing the new release and
>>> without changing the reported version of the library.
>>>
>>> So with 12.2p5 you do get the fix but don't get a new version of the
>>> library.
>>>
>>>
>>> [1] https://cgit.freebsd.org/src/commit/?h=releng/12.2&id=af61348d61f51a88b438d41c3c91b56b2b65ed9b
>>>
>>>
>> Excuse me....
>>
>> $ uname -v
>> FreeBSD 12.2-RELEASE-p4 GENERIC
>> $ sudo sh
>> # freebsd-update fetch
>> Looking up update.FreeBSD.org mirrors... 3 mirrors found.
>> Fetching metadata signature for 12.2-RELEASE from update4.freebsd.org...
>> done.
>> Fetching metadata index... done.
>> Inspecting system... done.
>> Preparing to download files... done.
>>
>> No updates needed to update system to 12.2-RELEASE-p5.
>>
>> I am running 12.2-RELEASE-p4, so says uname -v
>>
>> IMHO it is an *extraordinarily* bad practice to change a library that in
>> fact will result in a revision change while leaving the revision number
>> alone.
>>
>> How do I *know*, without source to go look at, whether or not the fix is
>> present on a binary system?
>>
>> If newvers.sh gets bumped then a build and -p5 release should have resulted
>> from that, and in turn a fetch/install (and reboot of course since it's in
>> the kernel) should result in uname -v returning "-p5"
>>
>> Most of my deployed "stuff" is on -STABLE but I do have a handful of
>> machines on cloud infrastructure that are binary-only and on which I rely on
>> freebsd-update and pkg to keep current with security-related items.
> What does "freebsd-version -u" report?  The fix was only to a userland
> library, so I would not expect the kernel version as reported by uname
> to change.
>
> Regards,
>
> Gary

Ok, that's fair; it DOES show -p5 for the user side.

$ freebsd-version -ru
12.2-RELEASE-p4
12.2-RELEASE-p5

So that says my userland is -p5 while the kernel, which did not change 
(even though if you built from source it would carry the -p5 number) is -p4.

I can live with that as it allows me to "see" that indeed the revision 
is present without having source on the box.

I recognize that this is probably a reasonably-infrequent thing but it 
certainly is one that for people running binary releases is likely quite 
important given that the issue is in the openssl libraries.  It was 
enough for me to rebuild all the firewall machines the other day since a 
DOS (which is reasonably possible for one of the flaws) aimed at my VPN 
server causing the server process to exit would be...... bad.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210330/51f5545a/attachment.bin>