# base system and security update



## evplus (Jun 28, 2022)

Hi everyone,
I am a new FreeBSD user, and I am trying to understand what I should do about the last openssl CVE.
I have seen that the port version of openssl has been update to 1.1.1p but the base-system still use 1.1.1.o .
So my question is: is the base-system going to get the patch version soon and can we track it somewhere, or should I install the port version of openssl?


----------



## mer (Jun 28, 2022)

freebsd-update fetch is your friend
mailing lists with security/security notifications typically tells you when things are patched.


----------



## evplus (Jun 28, 2022)

Thank you for your reply.
I guess that I was a be impatient because debian released the patch version.
I had alook at the CVE and it does not seems to be a big, so I will wait.


----------



## mer (Jun 28, 2022)

I learned a long time ago:
A CVE means read the CVE, and really think "does this apply to me"
If "yes", then "are there any mitigations I can apply before a patch"
Based on that, you know how critical it is for you.

Say the CVE talks about something related to wireless adapters.  If you don't have any, it's a "don't care" for you.
If it's something about "exposing service xyz to the world" and you don't do that, it's a "don't care".

They should all eventually get patched but if they are don't cares for you, don't worry.

And since you are new, if you installed and are using "Root on ZFS" then always create a new boot environment before you do an update.  Plenty of tutorials if you do a search here.


----------



## evplus (Jun 28, 2022)

mer said:


> And since you are new, if you installed and are using "Root on ZFS" then always create a new boot environment before you do an update.  Plenty of tutorials if you do a search here.


Thanks. I would have gone for `zfs snapshot` but it seems to be a very wrapper based on it


----------



## mer (Jun 28, 2022)

Root on ZFS, you want to get used to the command bectl.
"boot environment" control.
bectl list
bectl create
bectl activate
bectl mount

very very simplistically:
bectl create to create a new boot environment, which actually represents your existing boot environment
freebsd-update fetch && freebsd-update install  this installs the updates into the currently running boot environment leaving the one you just "bectl create"d as the old one
pkg upgrade to upgrade the ports in the current boot environment


----------

