Subject: Re: Keeping 1.6.1 up to date.
To: Louis Guillaume <lguillaume@berklee.edu>
From: Oliver Egginger <oliver.egginger@dvz.fh-giessen.de>
List: netbsd-users
Date: 11/20/2003 16:03:59
> What is the expected maintenance scheme for a NetBSD release in a
> production environment?
At first you have to download the sources. You can check out the source
tree from CVS with the "-rnetbsd-1-6-PATCH001-RELEASE" option.
Next step is to visit http://www.netbsd.org/Security/
Here are all vulnerabilitys which was released after
"netbsd-1-6-PATCH001-RELEASE":
NetBSD-SA2003-017 OpenSSL multiple vulnerability
NetBSD-SA2003-016 Sendmail - another prescan() bug CAN-2003-0694
NetBSD-SA2003-015 Remote and local vulnerabilities in XFree86
NetBSD-SA2003-014 Insufficient argument checking in sysctl(2)
NetBSD-SA2003-013 Kernel memory disclosure via ibcs2
NetBSD-SA2003-012 Out of bounds memset(0) in sshd
NetBSD-SA2003-011 off-by-one error in realpath(3)
NetBSD-SA2003-010 remote panic in OSI networking code
Some of the patches are not relevant for 1.6.1
(netbsd-1-6-PATCH001-RELEASE). Also the most ones are not important for
me. But you must make your own choice. I only fixed the
NetBSD-SA2003-011, the NetBSD-SA2003-014 and the NetBSD-SA2003-017
vulnerability.
Set the CVSROOT, for example (bash2):
CVSROOT=:pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot; export CVSROOT
Then follow the instructions you will find under
http://www.netbsd.org/Security/
- oliver
Am Don, 2003-11-20 um 00.56 schrieb Louis Guillaume:
> Hi Everyone,
>
> A great thing happened where a colleague of mine, upset with Redhat,
> decided to look at NetBSD.
>
> The one thing that's making him hesitate now is "How do you update a
> part of the base distribution if there was, say, a security advisory on
> that item?" He wants to see an up2date-like tool.
>
> I'm accustomed to using -current, where I build regularly and that would
> typically take care of issues like this. And then there's pkg_audit for
> the packages.
>
> Let's paint a hypothetical scenario...
>
> . Take a cleanly installed 1.6.1 system with no packages.
> . Subsequently, security advisories for several packages come out.
> . Patches are now made to -current and successfully tested for these fixes.
>
> Is the official NetBSD-1.6.1 distribution now going to be patched or do
> we have to wait for the next release before we can have a secure
> distribution?
>
> Let's assume the former is true and the sets for 1.6.1 are updated with
> the fixes.
>
> Are we expected to retrieve the latest sets and essentially upgrade
> 1.6.1 to 1.6.1(patched)?
>
> What is the expected maintenance scheme for a NetBSD release in a
> production environment?
>
> Any help would be fantastic,
> Thanks
>
> Louis
--
Oliver Egginger <oliver.egginger@dvz.fh-giessen.de>
Fachhochschule Giessen-Friedberg