netbsd-users: Re: Keeping 1.6.1 up to date.

Subject: Re: Keeping 1.6.1 up to date.
To: Louis Guillaume <lguillaume@berklee.edu>
From: Oliver Egginger <oliver.egginger@dvz.fh-giessen.de>
List: netbsd-users
Date: 11/20/2003 16:03:59
> What is the expected maintenance scheme for a NetBSD release in a 
> production environment?

At first you have to download the sources. You can check out the source
tree from CVS with the "-rnetbsd-1-6-PATCH001-RELEASE" option.
Next step is to visit http://www.netbsd.org/Security/
Here are all vulnerabilitys which was released after 
"netbsd-1-6-PATCH001-RELEASE":

NetBSD-SA2003-017 OpenSSL multiple vulnerability
NetBSD-SA2003-016 Sendmail - another prescan() bug CAN-2003-0694
NetBSD-SA2003-015 Remote and local vulnerabilities in XFree86 
NetBSD-SA2003-014 Insufficient argument checking in sysctl(2)
NetBSD-SA2003-013 Kernel memory disclosure via ibcs2
NetBSD-SA2003-012 Out of bounds memset(0) in sshd
NetBSD-SA2003-011 off-by-one error in realpath(3)
NetBSD-SA2003-010 remote panic in OSI networking code

Some of the patches are not relevant for 1.6.1
(netbsd-1-6-PATCH001-RELEASE). Also the most ones are not important for
me. But you must make your own choice. I only fixed the
NetBSD-SA2003-011, the NetBSD-SA2003-014 and the NetBSD-SA2003-017
vulnerability. 

Set the CVSROOT, for example (bash2):
CVSROOT=:pserver:anoncvs@anoncvs.NetBSD.org:/cvsroot; export CVSROOT

Then follow the instructions you will find under
http://www.netbsd.org/Security/

- oliver


Am Don, 2003-11-20 um 00.56 schrieb Louis Guillaume:
> Hi Everyone,
> 
> A great thing happened where a colleague of mine, upset with Redhat, 
> decided to look at NetBSD.
> 
> The one thing that's making him hesitate now is "How do you update a 
> part of the base distribution if there was, say, a security advisory on 
> that item?" He wants to see an up2date-like tool.
> 
> I'm accustomed to using -current, where I build regularly and that would 
> typically take care of issues like this. And then there's pkg_audit for 
> the packages.
> 
> Let's paint a hypothetical scenario...
> 
> . Take a cleanly installed 1.6.1 system with no packages.
> . Subsequently, security advisories for several packages come out.
> . Patches are now made to -current and successfully tested for these fixes.
> 
> Is the official NetBSD-1.6.1 distribution now going to be patched or do 
> we have to wait for the next release before we can have a secure 
> distribution?
> 
> Let's assume the former is true and the sets for 1.6.1 are updated with 
> the fixes.
> 
> Are we expected to retrieve the latest sets and essentially upgrade 
> 1.6.1 to 1.6.1(patched)?
> 
> What is the expected maintenance scheme for a NetBSD release in a 
> production environment?
> 
> Any help would be fantastic,
> Thanks
> 
> Louis
-- 
Oliver Egginger <oliver.egginger@dvz.fh-giessen.de>
Fachhochschule Giessen-Friedberg