Contributed by jose on from the oldland-security dept.
"We've had this discussion over and over again and the camp splits quite evenly into:This is not uncommon to find situations where upgrading quite yet is an option, and it gets put off almost indefinitely. While the newest software always does have the known fixes in it, it may also introduce more complications than are acceptable.
This doesn't just hold for OpenBSD 3.0 but all the previous versions.
- Your problem: upgrade,
- Just keep going and patch as things come out.
I've started following two separate techniques: the first, and obvious, is to install over OpenBSD native versions whenever something "necessary" appears (for example: apache, openssl, sendmail...) but the new method I have been following is to apply OpenBSD 3.1 patches where possible.
I thought this was never going to work but, for example, the recent LPD patch works just fine because the code is from 1999. So, with a grain of salt you can happily patch your OpenBSD 3.0 source tree with OpenBSD 3.1 patches. Another patch which worked was the openssl patch - I had tried compiling the latest OpenSSL from source and was unable to reproduce the exact setup (including dynamic libraries) of the OpenBSD source tree.
Would it make sense to start having an archive of patches which apply clean to previous versions of OpenBSD and fix vulnerabilities? This need not be an "official" page but it would definitely help."
Its sometimes not possible to just apply the new code to an old tree, as APIs change (as has happened in OpenSSL, for example), breaking software. However, with some effort, new patches can be rolled for the older versions which preserve the compatability while fixing known issues. The real question is are any of you doing this?
(Comments are closed)