# FreeBSD 8.4-RELEASE-p14 ships with old OpenSSL 0.9.8y



## stefanlasiewski (Aug 12, 2014)

I just updated an old FreeBSD 8 system to FreeBSD 8.4-RELEASE-p14 using freebsd-update(). We are surprised to note that this version of FreeBSD ships with an old version of OpenSSL:


```
root@freebsd:~ # uname -v
FreeBSD 8.4-RELEASE-p14 #0: Tue Jul  8 12:41:46 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC 
root@freebsd:~ # /usr/bin/openssl version
OpenSSL 0.9.8y 5 Feb 2013
root@freebsd:~ #
```

Shouldn't OpenSSL be at version 0.9.8za (or later), which was released in June 2014 fix the vulnerabilities listed here?

* http://www.freebsd.org/security/advisor ... penssl.asc
* http://www.openssl.org/news/secadv_20140605.txt


----------



## kpa (Aug 12, 2014)

The way it works with the base system libraries is that the version is kept the same to satisfy the stable ABI requirement (and I guess the developers are being a bit overcautious when it comes to release versions, the "stable" version of FreeBSD 8 has 0.9.8zb, see below) but any security fixes are backported. This means the even you see a version OpenSSL 0.9.8y it's in reality 0.9.8y plus a whole bunch of security fixes from the newer versions of OpenSSL up to 0.9.8za.

It would be very nice to have some indication that the version number doesn't quite match what the library is actually but according to the security team this is not possible at the moment.

The so called "stable" branch of FreeBSD 8, identified as stable/8 in the SVN repo seems to have 0.9.8zb:

http://svnweb.freebsd.org/base?view=revision&sortby=rev&sortdir=down&revision=269687


----------



## stefanlasiewski (Aug 12, 2014)

Thanks for that.

Is there a way to validate that I actually am running OpenSSL 0.9.8za or newer? We manage FreeBSD using freebsd-update for binary updates, and I don't have the source code on the system.


----------



## kpa (Aug 12, 2014)

There is unfortunately no other way to validate the installed OpenSSL other than testing it with tool that tests the library for known vulnerabilities. If you were on the stable version then the reported version would match with what the installed version really is. If you're planning on staying on FreeBSD 8 it might be a good idea to switch to stable/8 now.  FreeBSD 8 including the stable branch will come to its end of life on June 30 2015 however.

http://www.freebsd.org/security/index.html#sup


----------



## pkubaj (Aug 13, 2014)

IMO they're overly catious with merging new OpenSSL releases to releng/. In fact, it has already happened before, so I don't know why they can't continue doing it.
See e,g, http://svnweb.freebsd.org/base?view=rev ... ion=249029


----------

