Although not really a proper security advisory because the base system appears to be safe( see my previous article, DROWN: Vunerable? Not exactly! ), installing some packages can make your NetBSD installs vulnerable to DROWN. By default, Apache 2.2 and a number of other packages enable SSLv2 and v3 out of the box, and without the latest OpenSSL (NetBSD 7.0 ships with 1.0.1m) this means that low-cryptographic-strength export ciphers can be forced into use by an attacker.
Fortunately, the same day as DROWN was published, NetBSD’s trunk branch was updated to include 1.0.1s; a few days later the netbsd_7_0 and netbsd_6_1 branches had the source updates pulled in also. However, netbsd.org makes no mention of this in their security advistories page, which is unfortunate because it is serious enough to merit an official patch and announcement.
In order to upgrade your install to include this patch, you will need to either download a daily build for your release (found here), or download the source and compile (github). I personally use sysupgrade to apply my upgrades automatically from my own daily builds, without issue.
For a quick-n-dirty in-place upgrade, try running the following:
# Of course, make sure `sysupgrade` is installed first! pkgin -y install sysupgrade # Download and apply patch. You can ignore /etc changes # Use: sysupgrade -o ETCUPDATE=no auto /path/to/release # Example:
sysupgrade -o ETCUPDATE=no auto \