Eratta and M:Tier

[hitest]

I generally like to follow the official errata with OpenBSD. However, lately I have become a huge fan of openup, the M:Tier utility.
Does the official errata address all or most of the security patches with OpenBSD? Does M:Tier pick up patches missed by the official errata? Can you use both the errata and openup to patch your OpenBSD 5.6 system? I realize this may be a foolish question.
Thank you for any and all replies.

[jggimi]

For the convenience of the user community, M:Tier provides binary builds of -stable, the patch branch of OpenBSD. The OpenBSD Project does not have the resources to do so.

As described in OpenBSD FAQ 5.1, -stable includes published errata and may also include patches by the Project that are not in the errata. If so these are either less critical or have a narrow use case.

In addition to OpenBSD itself, the ports tree may also have patches tagged as -stable. As with the OS, these are patches for stability or security for ports which do not require library changes. See OpenBSD FAQ 15.3.10.

[hitest]

jggimi,

Thank you for the detailed, thorough explanation. I appreciate that a lot.

[blackhole]

Generally the errata is for those who want to stick with -RELEASE and just apply the security patches (someone please feel free to correct me here), whereas syncing your sources to -STABLE (with CVS) and rebuilding the base system is for those who actually want to follow -STABLE (probably ports tree included). So presumably if M tier provides binary builds of stable (no idea), then the same applies - and you would probably not want to combine it with patches on the errata page.

[hitest]

Thanks for the reply, cynwulf. I'm using the install56 ISO from the openbsd mirrors to install OpenBSD 5.6. Can someone tell me if it is acceptable to use both the errata and openup on an OpenBSD 5.6 install? I'm not sure if I'm reading these replies correctly. Perhaps I'm mixing up what stable and release means. Sorry for the extra noise in this channel.
Thanks for any and all replies.

[jggimi]

I hope this helps clarify.

• Patches against -release, if they have significant impact for a large number of users, will be published in errata.
• Patches can be made against -release which do not qualify for publishing as errata.

Both types of patches are added to -stable. Sometimes, there are no minor -stable patches committed, and in that case -release+errata is equivalent to -stable.

Run -release+errata, or run -stable. The choice is yours.

Some people may require a -stable patch that was not published as errata, so they must run it. Others may find maintaining -stable is easier than manually building modules affected by errata, whether building -stable themselves, or using the M:Tier provided kernels and filesets.

[hitest]

Thanks so much for the reply, jggimi. I appreciate your assistance!

[gso]

Would I be correct in thinking that it would be a mistake to connect one's freshly installed 5.6 release directly to the Internet then executing openup (with certificate in place)?

[jggimi]

Quote:

Originally Posted by gso

Would I be correct in thinking that it would be a mistake to connect one's freshly installed 5.6 release directly to the Internet ...?

Let's look at the published errata: 9 patches to date, 7 for reliability, 2 for security.

• 003: SECURITY FIX: October 1, 2014 All architectures
  nginx can reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations. This issue was assigned CVE-2014-3616.

Are you operating an nginx(8) web server on that freshly installed 5.6-release system? Probably not, even if you intend to provision one, as your use case is a freshly installed 5.6-release.

• 005: SECURITY FIX: October 20, 2014 All architectures
  This patch disables the SSLv3 protocol by default. Applications depending on SSLv3 may need to be recompiled with
  SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3); but we recommend against the continued use of this obsolete protocol.

Will you connect your system to a server that requires you to use this obsolete (and insecure) protocol? Before you update? Probably not. Your use case is a freshly installed 5.6-release.

[gso]

How would I configure named (or unbound which I think is now in base) to resolve mtier.org?

[jggimi]

Do you need to operate your own nameserver? Looking at this same use case --- your first installation of a new system, you need only point your resolver at your ISP's nameserver.

If you are using DHCP for dynamic IP address configuration, the DHCP server would provide your system with the IP address(es) of your nameserver(s) at connection time. On OpenBSD, the resolver is configured by the dhclient(8) program, which is either run manually by the admin -- you, now -- or run at boot time by specifying "dhcp" in the applicable hostname.if(5) file. The program does this by altering your resolv.conf(5) file when it receives its assigned IP address and any nameserver IP address(es) from the DHCP server it contacts.

If you assign static IP addresses, you would edit /etc/resolv.conf manually, or you would let the installation script edit the file on your behalf by providing a nameserver IP address during installation.

[gso]

I wouldn't normally consider unencrypted DNS, however the issue I was experiencing seems to have been resolved with the dhclient.conf supercede modifier and dhcp DNS option to overide the DHCP provided DNS with an alternative server (advertising enhanced security as a feature in this instance). Why this should make all the difference I'm not sure. Maybe the DNS should not be left to ISP defaults?

With this, M:Tier (provisionally at least) seems to have done the job fine. The only point I would note is that if not prior copied into /etc/signify the mtier public key is downloaded with ftp - the $FETCH var. at the top of the openup script though can be used to change the download method.

Security hardened and socksified firefox-esr seems to be holding out also.

[jggimi]

Quote:

Originally Posted by gso

Security hardened ... firefox....

There are OpenBSD users who would say that is an oxymoron. There is an active thread on the misc@ mailing list where a user is attempting to isolate FF with various methods. Other users have chimed in to try to help.

http://marc.info/?t=141616714600001&r=1&w=2