# addressing the openssl problem



## chavez243ca (May 22, 2009)

I've got a good number of BSD servers scattered about the network, all of which need to be patched for the March OpenSSL vulnerability.

looks like freebsd-update is not going to address this problem due to the versions I am currently running, so I have tried the manual patch process - my question is - is a reboot necessary?  After the make portion of the patch process openssl version still indicates openssl not being up to date.

If this fails, looks like cvsup might be the answer...


----------



## vivek (May 22, 2009)

Follow the procedure mentioned in security advisory. Also do not forget to read /usr/src/UPDATING


----------



## chavez243ca (May 22, 2009)

I did - verbatim - the advisory does not say whether a reboot is necessary or not.  following the make session though openssl version appears unchanged.


----------



## DutchDaemon (May 22, 2009)

Does it state anywhere that the patch actually increases the version?


----------



## chavez243ca (May 23, 2009)

I was going by the openssl advisory:
http://www.openssl.org/news/secadv_20090325.txt

that states that the corrected version is 0.9.8k - none of my BSD boxes are showing that version whether I've done the patch or used cvsup to bring base up to latest RELENG

It would be nice if I could tell whether or not my openSSL is vulnerable without digging into the revision numbers in the source.

I've followed one of the two methods in http://security.freebsd.org/advisories/FreeBSD-SA-09:08.openssl.asc depending on the system, so now I just hope that does the trick.


----------



## DutchDaemon (May 23, 2009)

FreeBSD's base system openssl is at 0.98e, I believe. The ports tree version of openssl is at 0.98k. I'm sure the patches in 0.98k have been backported to 0.98e, so you should be fine.


----------



## chavez243ca (May 23, 2009)

yes - .98e is what I am seeing


----------

