Havard Eidnes wrote:

>>I installed from the 1.6.2-bin ISO.  The builtin sshd shows as follows:
>>
>>  $ scanssh 127.0.0.1
>>  127.0.0.1 SSH-1.99-OpenSSH_3.4 NetBSD_Secure_Shell-20030917
>>
>>Is it true that the version that comes with 1.6.2 is 3.4?
> 
> 
> Well, yes and no.  It is based on 3.4.  If you go read the
> CHANGES-1.6.* files, you'll see what local changes have been made
> to this particular version.  As far as I can see these are:

[snip change info]

>>If so, what is the recommended update path to get to the current
>>openssh release?
> 
> 
> Do you know of something which may cause you to need the upgrade?

Nope.

>>Am I wrong to expect a current version number to reflect a current
>>patch application?
> 
> 
> I'm not sure what you mean here, but the NetBSD date should indicate
> when the sources was last touched in a significant way.  And, yes, we
> do apply security patches to the software we maintain, and the
> netbsd-1-6 branch is still being maintained.

I worded that badly. What I mean is how can I find a way to query the 
package version, for any given package, and know where it lies in 
relation to security updates, as related to the author's/vendor's 
release versioning. For example, by following information directly from 
openbsd.org/openssh.org, I know that 3.8 is current enough to cover all 
known security concerns. I have used scanssh as a way of auditing our 
installed versions and finding out where we're out of date. Now that 3.4 
is cropping up on our NetBSD boxen, we've got to change that a bit.

It works a bit differently when working with software that is not 
installed from pkgsrc (such as openssh) because then we have to figure 
this out from something besides the package version.

If it's a matter of checking the changes file, we can find the info we need.

>>Another one is openssl:
>>
>>  $ openssl version
>>  OpenSSL 0.9.6g 9 Aug 2002
>>
>>I installed the binary package "openssl-0.9.6l" to add openssl to my 
>>system. I see that NetBSD-SA2004-003 describes the ASN.1 issue and 
>>mentions that 0.9.6l package resolves the vulnerability.
> 
> 
> Yes, but the fix for each of the branches is different, and this
> problem is solved by "minimal touch fix" of the sources.  The quoted
> SA also clearly states that 1.6.2 is not vulnerable to this weakness,
> and you'll again find the fixes in the doc/CHANGES-1.6.2 file:

[snip]

>>How does that tie in with the displayed release date of 9 Aug 2002?
>>Simply patched source..?
> 
> 
> Well, we can't/shouldn't touch that date.  Local software which needs
> to check that the mentioned vulnerability is fixed could do as pkgsrc
> does and check the symbol mentioned the last above.
> 
> So... yes, this source is already patched.

Good enough.

I haven't come across any update info as of yet. Is there a -stable or 
-patch branch that one can follow, as well as -current? What process 
could I use on a regular basis to ensure that my netbsd systems are up 
to date and secured?

DS