Re: freebsd-update confusion

From: Mark Millard <marklmi_at_yahoo.com>
Date: Sun, 19 Feb 2023 00:04:20 UTC
On Feb 18, 2023, at 15:06, void <void@f-m.fm> wrote:

> Hello Herbert,
> 
> On Sat, Feb 18, 2023 at 11:11:50PM +0100, Herbert J. Skuhra wrote:
>> On Sat, Feb 18, 2023 at 09:53:56PM +0000, void wrote:
>>> In https://lists.freebsd.org/archives/freebsd-security/2023-February/000146.html
>>> there's an SA for openssl.
>>> 
>>> If I upgrade (buildworld etc) on an amd box, it gets:
>>> 
>>> % openssl version
>>> OpenSSL 1.1.1t-freebsd  7 Feb 2023
>>> 
>>> (as expected)
>> 
>> This is either stable/13, releng/13.2 or main where openssl was updated
>> to version OpenSSL 1.1.1t.
>> 
>>> If freebsd-update is run on a 13.1-R arm64 machine, installed updates then
>>> rebooted, it gets:
>>> 
>>> $ openssl version
>>> OpenSSL 1.1.1o-freebsd  3 May 2022
>>> 
>>> ???
>>> 
>>> The freebsd-update was run about 10 mins ago (feb 18th 1821 UTC)
>> 
>> This is releng/13.1 where openssl is still OpenSSL 1.1.1o; only security
>> fixes were applied. 
> 
> This is the bit that was confusing me. I thought 1.1.1t was with the security fixes.

OpenSSL 1.1.1o was patched to remove the problems. That does
not produce 1.1.1t as a result.

>> You will get OpenSSL 1.1.1t after upgrading to
>> 13.2-RELEASE (expected to be released next month).
> 
> https://lists.freebsd.org/archives/freebsd-security/2023-February/000146.html has this:
> 
> Corrected:      2023-02-07 22:38:40 UTC (stable/13, 13.1-STABLE)
>                2023-02-16 17:58:13 UTC (releng/13.1, 13.1-RELEASE-p7)
>                2023-02-07 23:09:41 UTC (stable/12, 12.4-STABLE)
>                2023-02-16 18:04:12 UTC (releng/12.4, 12.4-RELEASE-p2)
>                2023-02-16 18:03:37 UTC (releng/12.3, 12.3-RELEASE-p12)
> 
> So, if I'm understanding you correctly, none of those releases indicated above
> would go to 1.1.1t ?

Same point for 13.1-RELEASE-p7 here:
OpenSSL 1.1.1o was patched to remove the problems. That does
not produce 1.1.1t as a result.

>> What's the output of 'freebsd-version -kru'? It will tell you if your
>> system is up-to-date.
> 
> % freebsd-version -kru
> 13.1-RELEASE-p6
> 13.1-RELEASE-p6
> 13.1-RELEASE-p7

That last indicates that you have the patched OpenSSL 1.1.1o
in the world (user space).

> It's really kind of opaque (to me) that openssl version is '1.1.1o-freebsd 3 May 2022' *after* the update has been applied. If it was something like '1.1.1o-freebsd-p1 16 Feb 2023', I'd feel a bit better, because as it stands, it looks like, on the face of it, that openssl hasn't
> been patched. Otherwise wouldn't the versioning info change in some respect, to
> indicate that it had?

The output of the openssl command likely is just as upstream
has defined it, it not being directly a FreeBSD thing. The
patches to the openssl source were likely also from upstream.


===
Mark Millard
marklmi at yahoo.com