Why is base OpenSSL not showing the new version number

Roger Eddins

New Member


Messages: 2

Currently sitting on 9.3-RELEASE-p39 and performed freebsd-update/install and /usr/bin/openssl is still showing version "OpenSSL 0.9.8zh-freebsd 3 Dec 2015". I see the timestamp of the binary (/usr/bin/openssl) shows the latest timestamp when I ran freebsd-update install so am I just to assume it updated? Is this a little know secret that you should just trust it updated?

A little help or breadcrumb please... nothing in searches of the other FreeBSD forums hint about this except one reply but that's not enough to be convincing.
 

drhowarddrfine

Son of Beastie

Reaction score: 1,560
Messages: 3,606

End of life for version 9.2 ended December 2014. I don't know when 9.3 ended but end of life for version 10.0 was February 2015.
 

geodni

Member

Reaction score: 1
Messages: 39

Hi all, I have several FreeBSD 10.2-RELEASE recently updated to 10.3-RELEASE-p3 then 10.3-RELEASE-p4 using "freebsd-update" mechanism.
OpenSSL Base was updated from "1.0.1p-freebsd 9 Jul 2015" to "1.0.1s-freebsd 1 Mar 2016".
I though that applying the security advisory FreeBSD-SA-16:17 with "freebsd-update" (includes CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176) would update OpenSSL Base to latest 1.0.1t but it's not the case !
Does that mean I have to use OpenSSL from ports to have the latest security advisory about OpenSSL in place ?
Thanks
 

kpa

Beastie's Twin

Reaction score: 1,822
Messages: 6,318

This comes up from time to time (maybe a sticky post would be in order...). The FreeBSD security team has decided not to update the date and version number in the base system OpenSSL even if the security fixes are applied to it. The security fixes are backported from the fixed newer revisions so they are there even if the version number does not reflect that. The only proper way to see if your system is up to date with the security and errata fixes is to use freebsd-version(1) (not available in FreeBSD 9 and earlier unfortunately).


The userland versions is the more reliable version to check, the kernel version with the -k option may lag behind because not every update installs a new kernel:

freebsd-version -u

On earlier versions such as FreeBSD 9 the freebsd-update fetch update can be run to see what the currently installed patchlevel is and if there are any available updates at the same time.
 

geodni

Member

Reaction score: 1
Messages: 39

OK for CVE includes in the OpenSSL base, I believe that. Perhaps there a log of ths decision womewhere ?
But our security officers want the patched version to be installed, or to be sure last CVE are well applied. How can I check in OpenSSL base that CVE are applied even if "openssl version" gives a not updated version ?
I tried all options for "openssl version" with no success nor running strings on the binary.
Thanks
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,119
Messages: 33,688

How can I check in OpenSSL base that CVE are applied even if "openssl version" gives a not updated version ?
https://www.freebsd.org/security/advisories.html

Specifically this one: https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc

So, if you have 9.3-RELEASE-p41, 10.1-RELEASE-p33, 10.2-RELEASE-p16 or 10.3-RELEASE-p2 it's applied.

On FreeBSD 10.x you can easily check with freebsd-version -u. On FreeBSD 9.x you'll have to trust freebsd-update(8).
 

geodni

Member

Reaction score: 1
Messages: 39

Thanks all, it's running 10.3-RELEASE-p4 so patches are applied.
Sorry if I badly explained what I need. You tell me freebsd-version -u is sufficient to know the patches are applied according to SA-16:17. If it's the only way to go, I will tell the security officers it's applied even if version number claimed by openssl is not what it's supposed to be.

I looked at https://svnweb.freebsd.org/base/vendor-crypto/?view=log and inside the opensslv.conf https://svnweb.freebsd.org/base/ven....1t/crypto/opensslv.h?view=log&pathrev=298994 at line #37 shows
Code:
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t 3 May 2016"
In my 10.3-RELEASE-p4 running systems, /usr/include/openssl/opensslv.h shows at same line #37
Code:
#  define OPENSSL_VERSION_TEXT  "OpenSSL 1.0.1s-freebsd  1 Mar 2016"
I may suppose the revision 298994 is not yet included.
 

kpa

Beastie's Twin

Reaction score: 1,822
Messages: 6,318

Those are vendor imports and they are not used directly for building the releases, stable or current versions. Instead, they are merged selectively to the code that is actually used such as the example linked by SirDice above.
 

geodni

Member

Reaction score: 1
Messages: 39

Each time I come on this forum I learn something new, like each day I use FreeBSD !
Thank you all !
 
Last edited:
Top