Date: Thu, 13 Mar 2003 11:54:00 -0600 From: D J Hawkey Jr <hawkeyd@visi.com> To: "Bruce A. Mah" <bmah@FreeBSD.ORG> Cc: security at FreeBSD <freebsd-security@FreeBSD.ORG> Subject: Re: SA-03:02.openssl for RELENG_4_6_2 vs. RELENG_4_5 Message-ID: <20030313115400.A25510@sheol.localdomain> In-Reply-To: <20030313171647.GA19381@intruder.bmah.org>; from bmah@FreeBSD.ORG on Thu, Mar 13, 2003 at 09:16:47AM -0800 References: <20030313080852.A30434@sheol.localdomain> <20030313171647.GA19381@intruder.bmah.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 13, at 09:16 AM, Bruce A. Mah wrote:
>
> > OK. So as I go about cvsup'ing along the RELENG_4_5 tree, at p13, the
> > source is upgraded to OpenSSL 0.9.6e. At p18, it got an ASN.1 patch. So
> > did RELENG_4_6, at p10. Both RELENGs continued to get the same patches
> > until RELENG_4_5 support was dropped. So, up through RELENG_4_6_2 p7
> > (p8 is SA-03:02), the two RELENGs had the same OpenSSL trees, right?
>
> Probably. In theory, just because the version numbers are the same
> doesn't mean that there weren't minor tweaks. I think this is pretty
> unlikely, however. [1]
I can accept that tweaks made in the RELENG_4_5 tree might get lost in
patching upwards to 0.9.6i with SA-03:02; at least I'll know I can
probably continue patching the OpenSSL tree against RELENG_4_6 updates.
> Any reason you can't just check out copies of src/contrib/openssl for
> the RELENG_4_5 and RELENG_4_6 branches and diff them? If the only
> deltas are version numbers, you're probably safe.
Um, sheer number of files vs. Time, mostly. For those six files that
had rejected patches, I changed the versions in the patchfile to those
of the sources, and the entire update occured without incident.
BZZT! "Oh, I'm sorry, discussion time is over."
Throwing caution to the wind, I started a buildworld against the updated
source about 45 minutes ago.
Anyone know how to run the tests in /usr/src/crypto/openssl/apps and/or
/usr/src/crypto/openssl/test, and what to look for? :-)
Oh! I also need to know how one ascertains what binaries are statically
linked to libcrypto and/or libssl?
> Bruce.
Thanks,
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030313115400.A25510>