Re: Prefer pkgsrc OpenSSL after 2016Q1.

["J. Lewis Muir" <jlmuir%imca-cat.org@localhost>]

On 3/9/16 4:45 PM, Kamil Rytarowski wrote:
> Please check the dates of the most recent advisories:
> http://netbsd.org/support/security/
> 
> The latest advisory is from 2015.
> 
> Please see for example this page for the latest stable release:
> http://netbsd.org/support/security/patches-7.0.html
> 
> "NetBSD 7.0 Security Advisories
> 
> Below is the list of advisories applicable to the NetBSD 7.0 release:
> 
>     Nothing thus far"

NetBSD 7 was released on September 25, 2015.  Looking for all security
advisories sent to the security-announce mailing list since then finds
just one:

  http://mail-index.netbsd.org/security-announce/2015/10/22/msg000108.html

And in it, it says

===
Version:	NetBSD-current:		source prior to Mon, Jul 24th 2015
		NetBSD 7.0: 		not affected
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6: 	affected
		NetBSD 5.2 - 5.2.3: 	affected
		NetBSD 5.1 - 5.1.5: 	affected
===

That tells me that NetBSD 7 was no affected, so that makes me believe
that the "Nothing thus far" at

  http://netbsd.org/support/security/patches-7.0.html

is correct.

Are there security advisories you know of that were not sent to the
security-announce mailing list?

> This is why I formulated it by not active field, while users do check
> these pages and they are worried. I'm not a person in security team I
> cannot point them any actions taken off-hand - for example for DROWN.

I've seen no indication that the security team is dropping the ball.  To
my knowledge they've done a good job.

> Answer to pick-up -current isn't appropriate for everybody.

Agreed.

Regards,

Lewis