svn commit: r264265 - in head: crypto/openssl/crypto/bn crypto/openssl/crypto/ec crypto/openssl/ssl sys/fs/nfsserver

David Chisnall David.Chisnall at cl.cam.ac.uk
Wed Apr 9 16:08:13 UTC 2014


On 9 Apr 2014, at 15:19, Kubilay Kocak <koobs.freebsd at gmail.com> wrote:

> That expectation is orthogonal to whether we or other projects do it one
> way or another. RHEL users may well be as confused as ours (whether of
> not ours are). It may be relevant as a data point, but not for decision
> making.

I can confirm that, as a user (albeit a slightly sleep-deprived one at the time) I was confused.  I believe that I'm now running the correct version, as my libssl.so has a creation date of yesterday, but I don't have a good way of verifying it.

It would be great for future security advisories to have a 'how to tell if you're affected' and 'how to tell if you're patched' section.

I noticed that freebsd-update told me (after the fetch phase) that I should rebuild all third-party software.  I have been following the instructions that we give to users and not building most software on that machine myself.  I don't know if there are any packages that statically link to libssl.a (or even if we have a mechanism for determining that), but I'd hope that these would get separate VuXML reports for pkg audit to pick up.  

David



More information about the svn-src-head mailing list