Linked by Thom Holwerda on Thu 1st May 2014 10:18 UTC
OpenBSD

OpenBSD 5.5 has been released. As usual, the list of changes goes way beyond my comfort zone - I'm not exactly into the world of BSD - but I'm pretty sure that those that use OpenBSD aren't interested in oversimplified nonsense from people like me anyway.

As always, get it on CD-ROM (I love typing that in this day and age), or straight from a mirror.

Thread beginning with comment 587875
To read all comments associated with this story, please click here.
Heartbleed alert!
by sakeniwefu on Thu 1st May 2014 12:15 UTC
sakeniwefu
Member since:
2008-02-26

If someone is considering moving to OpenBSD as a secure server right now, please be aware that this release as sold in CD and available from HTTP mirrors contains a vulnerable version of OpenSSL and needs to be patched by recompiling OpenSSL following the instructions available on the OpenBSD web site. If you aren't comfortable doing that and need HTTPS and similar, you should wait until 5.6 which will include the refurbished LibreSSL. This release is otherwise a nice one including OpenBSD signed packages, 64 bit time_t and improved Open source Radeon support.

Reply Score: 7

RE: Heartbleed alert!
by IsakWatertroll on Thu 1st May 2014 18:49 in reply to "Heartbleed alert!"
IsakWatertroll Member since:
2014-05-01

Patching OpenSSL in OpenBSD 5.5 is no different than installing any other security or reliability fix. If you're not up to installing security fixes, waiting for the next release isn't going to do you any good.

And yes, it'll be nice when we can use LibreSSL, but why in the world would you recommend not switching until that's ready? It's not available for other OSes (I can guess which you use) but I don't see you telling people to avoid those...

tl;dr: don't listen to the guy above me.

Reply Parent Score: 2

RE[2]: Heartbleed alert!
by Lennie on Thu 1st May 2014 20:50 in reply to "RE: Heartbleed alert!"
Lennie Member since:
2007-09-22

In other OpenBSD and OpenSSL news OpenSSH doesn't depend on OpenSSL anymore:
http://it.slashdot.org/story/14/04/30/1822209/openssh-no-longer-has...

Reply Parent Score: 2

RE[2]: Heartbleed alert!
by sakeniwefu on Thu 1st May 2014 23:43 in reply to "RE: Heartbleed alert!"
sakeniwefu Member since:
2008-02-26

I run current, mind you. That is the only long term security option.
For releases, usually security and reliability fixes are not critical security holes and in parts of base you might not even be using. Some releases had no errata at all before the following release.
Realistically, most people avoid touching working systems. No it is not good, but you can see on the mailing lists that someone periodically asks how to update from 4.5 to 5.x. Do you think they are going to recompile from source once their uptime is larger than zero?
Starting with a release which is vulnerable to a widely known and trivial remote exploit is very dangerous in that context. There is no good way to install a patched system without installing a vulnerable one first.
Unlike most critical security holes to date, with Heartbleed one can get at your data without targeting OpenBSD specifically. It is 100% guaranteed your data will be stolen from a public facing server. My systems are okay but I don't want identity theft platforms all over the web.

Reply Parent Score: 3