On 9 Apr 2014, at 15:19, Kubilay Kocak <[email protected]> wrote:

> That expectation is orthogonal to whether we or other projects do it one
> way or another. RHEL users may well be as confused as ours (whether of
> not ours are). It may be relevant as a data point, but not for decision
> making.

I can confirm that, as a user (albeit a slightly sleep-deprived one at the 
time) I was confused.  I believe that I'm now running the correct version, as 
my libssl.so has a creation date of yesterday, but I don't have a good way of 
verifying it.

It would be great for future security advisories to have a 'how to tell if 
you're affected' and 'how to tell if you're patched' section.

I noticed that freebsd-update told me (after the fetch phase) that I should 
rebuild all third-party software.  I have been following the instructions that 
we give to users and not building most software on that machine myself.  I 
don't know if there are any packages that statically link to libssl.a (or even 
if we have a mechanism for determining that), but I'd hope that these would get 
separate VuXML reports for pkg audit to pick up.  

David

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"

Reply via email to