On Sun, Nov 11, 2007 at 03:39:14PM +0100, Christian Baer wrote:
> On Mon, 5 Nov 2007 16:50:35 -0500 Douglas A. Tutty wrote:
 
> > Finally, consider security issues and updates.  Just as an example, a
> > while ago, OpenSSL had a couple of problems.  FreeBSD was the first with
> > a fix followed the next day by Debian.  OpenBSD took a week or two to
> > fix it and verify the fix (to ensure that they didn't just make things
> > worse).  Last I looked, NetBSD didn't have a notice of a fix yet; an
> > email query I sent to the list was replied that a fix had been applied
> > for the next version but a back-port wasn't available yet.  That was a
> > week after the OpenBSD patch was posted; a month after FreeBSD and
> > Debian had posted fixes.  I'm sure that this comes down to resources and
> > there's the tradeoff.
> 
> Yeah, I watched this issue quite closely because I have to webservers to
> maintain that heavily use OpenSSL. Both run Linux though because the ISP
> set them up that way. I was more than surprised that NetBSD hasn't fixed
> that hole yet. Especially those people running production systems don't
> like updating the (complete) system just for a security patch. So normally
> I would expect a patch to be there even for older systems.
> 
> Is this something that happens a lot (NetBSD is the last to close a
> security hole)?

Well, look at the list of past security fixes.  Count them and note the
dates.  Do the same with the other OSs.  A few things jump out.

OpenBSD has fewer fixes but they only back port security fixes to which
OpenBSD is vulnerable.  If, for example, their changes to gcc prevent a
breach, then they don't bother backporting a fix.

NetBSD has fewer fixes but also doesn't have OpenBSD's gcc to explain it.

The last Debian security fix that applied to anything I have installed
was a perl heap overflow from November 6.  There have been a couple
since.  FreeBSD hasn't issued a security advisory since the Oct 3
OpenSSL.  Debian's perl is now at version 5.8.8 with the security patch
marking it as 5.8.8-7etch1.  FreeBSD doesn't have perl in its online man
pages; I guess they don't include it in base.  It is in ports at version
5.8.8_1 and it looks like the make file was changed 4 days ago (November
7) to address the heap overflow.  OpenBSD has perl in base at version
5.8.8 (according to the online man page).  Either OpenBSD isn't
susceptible or it hasn't been fixed.  NetBSD has perl in ports but I
don't know which of the reams and reams of perl packages is just plain
perl to tell if its been patched.

So in answer to your question, its hard to tell since on the BSDs, only
security fixes to the base OS show up in the security page.
Packages/ports (whatever they call it) must have a different mechanism
to allow you to keep up-to-date.  However, just looking at the recent
Perl update, it seems again that Debian and FreeBSD lead the pack in the
response time to issuing updates.  The difference, then is that for
Debian, its a binary update taking only download and unpacking time to
implement.  To update the BSDs you have to download the source patch,
recompile, and then install the new version.

Doug.