# Does FreeBSD10 upgrade fix heartbleed bug?



## sijohans (May 26, 2014)

Hello!

I'm running a server with FreeBSD 10 and have some questions. 

I don't actually use any services that use OpenSSL now, but *I* plan to do so in the future. So this problem hasn't been prioritized. However, *I* read these security advisories:

http://www.freebsd.org/security/advisor ... penssl.asc
http://www.freebsd.org/security/advisor ... penssl.asc
http://www.freebsd.org/security/advisor ... penssl.asc

And *I* have done what they said *I* should do:


```
# freebsd-update fetch
# freebsd-update install
```

However, my OpenSSL version is still the same. Is this supposed to happen? Or is the update just a fix to that version?


```
# openssl version
OpenSSL 1.0.1e-freebsd 11 Feb 2013
```

And another question, if *I* ignore my other applications and configurations, it is enough to use freebsd FreeBSD update to keep my system safe?


----------



## kpa (May 26, 2014)

The version number stays at the same 1.0.1e because FreeBSD uses a system where the security fixes are backported to the currently used version instead of upgrading to the latest and greatest version. This is to guarantee only minimal changes when security fixes are applied to minimize the possibility of breaking the ABI with the changes.

I do agree that it would be much clearer if the version string of openssl(1) included the patch level and/or some reference to the SVN revision of the source tree the currently installed world was compiled from. This is not possible however because of how the builds of the update sets for freebsd-update(8) work, they work in complete isolation of the SVN revision history according to the developers.


----------

