Security Advisory: NetBSD upgrades to OpenSSL 1.0.1s

Although not really a proper security advisory  because the base system appears to be safe( see my previous article, DROWN: Vunerable? Not exactly! ), installing some packages can make your NetBSD installs vulnerable to DROWN.  By default, Apache 2.2 and a number of other packages enable SSLv2 and v3 out of the box, and without the latest OpenSSL (NetBSD 7.0 ships with 1.0.1m) this means that low-cryptographic-strength export ciphers can be forced into use by an attacker.

Fortunately, the same day as DROWN was published, NetBSD’s trunk  branch was updated to include 1.0.1s; a few days later the netbsd_7_0  and netbsd_6_1  branches had the source updates pulled in also. However, netbsd.org makes no mention of this in their security advistories page, which is unfortunate because it is serious enough to merit an official patch and announcement.

In order to upgrade your install to include this patch, you will need to either download a daily build for your release (found here), or download the source and compile (github). I personally use sysupgrade to apply my upgrades automatically from my own daily builds, without issue.

For a quick-n-dirty in-place upgrade, try running the following:

# Of course, make sure `sysupgrade` is installed first!
pkgin -y install sysupgrade

# Download and apply patch. You can ignore /etc changes
# Use: sysupgrade -o ETCUPDATE=no auto /path/to/release
# Example:
sysupgrade -o ETCUPDATE=no auto \
ftp://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-7-0/201604060600Z/amd64

Leave a Reply

Your email address will not be published. Required fields are marked *