Re: freebsd-update confusion
- Reply: void : "Re: freebsd-update confusion"
- In reply to: void : "Re: freebsd-update confusion"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 Feb 2023 00:04:20 UTC
On Feb 18, 2023, at 15:06, void <void@f-m.fm> wrote: > Hello Herbert, > > On Sat, Feb 18, 2023 at 11:11:50PM +0100, Herbert J. Skuhra wrote: >> On Sat, Feb 18, 2023 at 09:53:56PM +0000, void wrote: >>> In https://lists.freebsd.org/archives/freebsd-security/2023-February/000146.html >>> there's an SA for openssl. >>> >>> If I upgrade (buildworld etc) on an amd box, it gets: >>> >>> % openssl version >>> OpenSSL 1.1.1t-freebsd 7 Feb 2023 >>> >>> (as expected) >> >> This is either stable/13, releng/13.2 or main where openssl was updated >> to version OpenSSL 1.1.1t. >> >>> If freebsd-update is run on a 13.1-R arm64 machine, installed updates then >>> rebooted, it gets: >>> >>> $ openssl version >>> OpenSSL 1.1.1o-freebsd 3 May 2022 >>> >>> ??? >>> >>> The freebsd-update was run about 10 mins ago (feb 18th 1821 UTC) >> >> This is releng/13.1 where openssl is still OpenSSL 1.1.1o; only security >> fixes were applied. > > This is the bit that was confusing me. I thought 1.1.1t was with the security fixes. OpenSSL 1.1.1o was patched to remove the problems. That does not produce 1.1.1t as a result. >> You will get OpenSSL 1.1.1t after upgrading to >> 13.2-RELEASE (expected to be released next month). > > https://lists.freebsd.org/archives/freebsd-security/2023-February/000146.html has this: > > Corrected: 2023-02-07 22:38:40 UTC (stable/13, 13.1-STABLE) > 2023-02-16 17:58:13 UTC (releng/13.1, 13.1-RELEASE-p7) > 2023-02-07 23:09:41 UTC (stable/12, 12.4-STABLE) > 2023-02-16 18:04:12 UTC (releng/12.4, 12.4-RELEASE-p2) > 2023-02-16 18:03:37 UTC (releng/12.3, 12.3-RELEASE-p12) > > So, if I'm understanding you correctly, none of those releases indicated above > would go to 1.1.1t ? Same point for 13.1-RELEASE-p7 here: OpenSSL 1.1.1o was patched to remove the problems. That does not produce 1.1.1t as a result. >> What's the output of 'freebsd-version -kru'? It will tell you if your >> system is up-to-date. > > % freebsd-version -kru > 13.1-RELEASE-p6 > 13.1-RELEASE-p6 > 13.1-RELEASE-p7 That last indicates that you have the patched OpenSSL 1.1.1o in the world (user space). > It's really kind of opaque (to me) that openssl version is '1.1.1o-freebsd 3 May 2022' *after* the update has been applied. If it was something like '1.1.1o-freebsd-p1 16 Feb 2023', I'd feel a bit better, because as it stands, it looks like, on the face of it, that openssl hasn't > been patched. Otherwise wouldn't the versioning info change in some respect, to > indicate that it had? The output of the openssl command likely is just as upstream has defined it, it not being directly a FreeBSD thing. The patches to the openssl source were likely also from upstream. === Mark Millard marklmi at yahoo.com