The following reply was made to PR bin/31120; it has been noted by GNATS.

From: "Greg A. Woods" <woods@weird.com>
To: christos@zoulas.com (Christos Zoulas)
Cc: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, zafer@gmx.org
Subject: Re: bin/31120 (update openssl in 3beta)
Date: Sat, 10 Jun 2006 17:45:45 -0400

 --pgp-sign-Multipart_Sat_Jun_10_17:45:42_2006-1
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: quoted-printable
 
 At Wed, 7 Jun 2006 19:12:41 -0400,
 Christos Zoulas wrote:
 >=20
 > On Jun 7, 11:00pm, woods@weird.com ("Greg A. Woods") wrote:
 > -- Subject: Re: bin/31120 (update openssl in 3beta)
 >=20
 > |  That seems like a very much less than ideal approach to maintenance.
 > | =20
 > |  People will no doubt be running systems built from the NetBSD-3 branch
 > |  in production for years yet to come, and for something as central to
 > |  many security-related applications as OpenSSL is, it would seem
 > |  important to keep it as up to date as possible in _all_ supported
 > |  branches.
 >=20
 > Greg, what version is running on 3.0?
 
 17:27 [682] # openssl version
 OpenSSL 0.9.7d 17 Mar 2004
 17:28 [683] # uname -srm
 NetBSD 3.0_STABLE i386
 
 (the "cvs update -r netbsd-3" and build date was about 2006/05/08)
 
 
 > Are there any known vulnerabilities
 > against it?
 
 I'm not really sure but given what I read in various forums I must
 assume so.  For example on openssl.org/news they say both 0.9.8a and
 0.9.7h contain a "security fix" (CAN-2005-2969).  I don't know how
 important that particular vulnerability is in general, but I'd suggest
 the average business manager won't care -- she'll just want the
 vulnerability eliminated for visibility purposes at the very least.
 
 I would also suggest very strongly that vulnerabilities are not the only
 issues of importance to such a critical software component in a
 production environment.
 
 The openssl.org web site says the even the very latest releases on both
 release branches, 0.9.8b and 0.9.7j, contain "important bugfixes", and
 in fact all the 0.9.7* releases since 0.9.7d are listed as "including
 important bugfixes".
 
 
 > The problem is that openssl is such a large package, and it
 > affects other things (ssh), so we have to weigh the risk/benefit of the
 > upgrade.
 
 Indeed, I couldn't agree more, but isn't a round of integration and
 testing in -current sufficient to more or less eliminate those kinds of
 risks?
 
 A pullup to the netbsd-2 and netbsd-3 branches will also get some
 testing before it makes it into a release, even if only by those of us
 who try to follow the release branches as regularly as possible.
 
 Given those conditions I would suggest that there's effectively zero
 risk, and 100% full benefit, to upgrading openssl on all the release
 branches.
 
 Now I could probably do such a pullup myself for my own purposes, but
 given the common benefit for everyone in this case I think it's
 important enough to do in all the official supported release branches.
 
 --=20
 						Greg A. Woods
 
 H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@robohack.ca>
 Planix, Inc. <woods@planix.com>       Secrets of the Weird <woods@weird.com>
 
 --pgp-sign-Multipart_Sat_Jun_10_17:45:42_2006-1
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 Version: PGPfreeware 5.0i for non-commercial use
 MessageID: JhB52qlZA1yqHuiKJiZEdAuchOOg5931
 
 iQA/AwUBRIs9iGJ7XxTCWceFEQKpSgCg6OaTX6kWasfjYt9LEb9Q02Bap0gAoO2z
 gDNIRZJuY3nbWVOzP2P+rXkZ
 =pDDA
 -----END PGP SIGNATURE-----
 
 --pgp-sign-Multipart_Sat_Jun_10_17:45:42_2006-1--