On Mon, 23 Sep 2002 netbsd@purk.ee wrote:

> This is very confusing...is OpenSSL 0.9.6g 9 Aug 2002 vulnerable?

The confusing thing is that the initial fix didn't get rid of a denial of
service problem. So multiple fixes came out.

With the 1.5.x branch, the fix was just some patches to old version. Then
it was a complete OpenSSL upgrade. Then the last notice was simply to tell
you that you should consider rebuilding other NetBSD userland that used
it, because of library version number jump.

> I run a lot of boxes with RC1-3.

The upgrade to official NetBSD 1.6 should be easy. Notice that the
advisory says the 1.6 is not vulnerable. (The NetBSD advisory does say how
to update the openssl on the 1.6 betas.)

Good luck,

   Jeremy C. Reed
   http://www.reedmedia.net/