Security advisory points to non-existing files on nyftp.netbsd.org?

Discussion:

Lars-Johan Liman

2014-07-05 07:00:49 UTC

Hi!

The recent NetBSD Security Advisory SA2014-006

http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-006.txt.asc

gives instructions on how to patch (which is really unacceptably
complicated, but that's a different story ...) for OpenSSL
vulnerabilities. One is instructed to download files from daily builds
on nyftp.netbsd.org.

Solutions and Workarounds
...
- From tarballs:
...
To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz
from a daily build later than the fix dates, from
http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/
with a date 20140607* or larger, and your release version and architecture
(e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201406070100Z/amd64/binary/sets/),
and then extract the files:
...
...

It's just that I cannot find any builds for stable branches (e.g.,
netbsd-6-1) any more. They were there past Monday (Jun 30), but now I
only find binaries for HEAD.

Does anyone have any information on

a) Where to find said tarballs?

b) What happened to the existing ones?

c) How to get the SA-instructions adjusted to avoid that more people run
into this problem?

Best regards,
/Liman

(Using my old autonomica.se address. Autonomica has been merged with
Netnod. I need to change my subscriptions.)
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc. ! E-mail: ***@netnod.se
# Senior Systems Specialist ! Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm ! http://www.netnod.se/
#----------------------------------------------------------------------

Tonnerre LOMBARD

2014-07-06 19:36:08 UTC

Permalink

Salut,

Post by Lars-Johan Liman
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-006.txt.asc
gives instructions on how to patch (which is really unacceptably
complicated, but that's a different story ...) for OpenSSL
vulnerabilities. One is instructed to download files from daily builds
on nyftp.netbsd.org.
Solutions and Workarounds
...
...
To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz
from a daily build later than the fix dates, from
http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/
with a date 20140607* or larger, and your release version and architecture
(e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201406070100Z/amd64/binary/sets/),
...
...
It's just that I cannot find any builds for stable branches (e.g.,
netbsd-6-1) any more. They were there past Monday (Jun 30), but now I
only find binaries for HEAD.
Does anyone have any information on
a) Where to find said tarballs?
b) What happened to the existing ones?
c) How to get the SA-instructions adjusted to avoid that more people run
into this problem?

As it is the nature of daily build, the daily builds from the fix date
have already been replaced with more recent versions. The above URL was
put in as an example for people who want to know what a full path would
look like; that's why it says Â«e.g.Â» in the beginning. In reality, you
can choose any build later than the fix date, e.g. the one from today,
and you'll be fine.

Hope that helps,

Tonnerre

Lars-Johan Liman

2014-07-07 11:24:43 UTC

Permalink

Hej!

Post by Tonnerre LOMBARD
Salut,

As it is the nature of daily build, the daily builds from the fix date
have already been replaced with more recent versions. The above URL was
put in as an example for people who want to know what a full path would
look like; that's why it says «e.g.» in the beginning. In reality, you
can choose any build later than the fix date, e.g. the one from today,
and you'll be fine.
Hope that helps,

Well, actually no. Maybe I didn't express myself clear enough.

I just checked again, and I cannot find **ANY** builds **AT ALL** from
stable branches, only from HEAD, so there is nothing to choose from.

Today there is **ONE** build from netbsd-5-1, but none from netbsd-6*.

So my questions still stand.

BTW, I'm looking at

http://nyftp.netbsd.org/pub/NetBSD-daily/

I take that to be the correct place? (I tried ftp: as well. No
difference - which is as expected.)

Best regards,
/Liman

Ottavio Caruso

2014-07-07 13:04:03 UTC

Permalink

It's true that the stable builds for 6-1 have disappeared, I remember
not seeing any updates since late June.

They are back now.

--
Ottavio

Ottavio Caruso

2014-07-07 12:18:16 UTC

Permalink

Post by Lars-Johan Liman
I just checked again, and I cannot find **ANY** builds **AT ALL** from
stable branches, only from HEAD, so there is nothing to choose from.

It's true that the stable builds for 6-1 have disappeared, I remember
not seeing any updates since late June.

I guess you can still patch the new ssl libraries from the HEAD branch.

--
Ottavio

Jeff Rizzo

2014-07-09 20:44:41 UTC

Permalink

Post by Lars-Johan Liman
Well, actually no. Maybe I didn't express myself clear enough.
I just checked again, and I cannot find **ANY** builds **AT ALL** from
stable branches, only from HEAD, so there is nothing to choose from.
Today there is **ONE** build from netbsd-5-1, but none from netbsd-6*.

We had some trouble with our build cluster for a week or two, and some
branch builds got aged out and/or nuked inadvertantly. Most if not all
should be back by now; the rest should be coming soon.

Sorry for the inconvenience.

+j