Binary patches for the "Heartbleed" OpenSSL vulnerability. 9 April 2014 ========================================================== Background ---------- On 7 April 2014, a serious vulnerability in OpenSSL was announced. It's being called the "Heartbleed" bug, and has identifier CVE-2014-1060. See . OpenSSL versions from 1.0.1 to 1.0.1f are vulberable, and version 1.0.1g is fixed. Affected versions of NetBSD --------------------------- NetBSD-5.0 and older: Not affected, because these versions of NetBSD contain older versions of OpenSSL. NetBSD-6.0 branch: Versions from 6.0 to 6.0.4 are affected. The files in this directory apply to these versions. NetBSD 6.0.5 will contain OpenSSL version 1.0.1g, which is fixed. NetBSD-6.1 branch: Versions from 6.1 to 6.1.3 are affected. The files in this directory apply to these versions. NetBSD 6.1.4 will contain OpenSSL version 1.0.1g, which is fixed. NetBSD-current: NetBSD-current versions from June 2011 until 8 April 2014 contain vulnerable versions of OpenSSL 1.0.1. Users of NetBSD-current should update their systems from source. Pkgsrc: Pkgsrc versions of OpenSSL from openssl-1.0.1 to openssl-1.0.1fnb1 are vulnerable. Pkgsrc openssl-1.0.1g is fixed. Regardless of what version of NetBSD you use, if you are using a version of OpenSSL from pkgsrc, then you should update to pkgsrc openssl-1.0.1g or later. These files ----------- The files in this directory apply to NetBSD versions from 6.0 to 6.0.4, and 6.1 to 6.1.3, as well as any systems built from a netbsd-6* branch before 8 April 2014. These files contain libcrypto.8.2 and libssl.10.3 for NetBSD 6.X systems, which should patch the "heartbleed" OpenSSL vulnerability. SHA512 and MD5 checksums are included - please verify them before installing. PLEASE make sure to grab the right one for your architecture, which in most cases is indicated by the output of "uname -m". To apply, untar as root as follows: # cd / # tar xpzf /path/to/file.tgz ...and then verify that "openssl version" shows the new libs in use: # openssl version WARNING: can't open config file: /etc/openssl/openssl.cnf OpenSSL 1.0.1c 10 May 2012 (Library: OpenSSL 1.0.1g 7 Apr 2014) # You will then need to restart any webservers or anything else using OpenSSL. NOTE: it is recommended to upgrade to NetBSD 6.0.5, or 6.1.4, or 6.2, when they become available.