Low End Unix

NetBSD Security Advisories

The Problem

NetBSD 9.3 had no security advisory. Not any more.

The security advisories themselves do contain solutions, applying them one by one can be tedious, though.

Note that all advisories say that "NetBSD-9 branch" is fixed after a certain date, what if we could simply upgrade our system to a recent build of "NetBSD-9 branch"?

A Bit of Caution

There are different views on whether formal releases, such as, 9.3 or stable maintenance branches, such as NetBSD-9, is better for day to day use.

I pick stable maintenance branches because I think the peace of mind wrt security outweighs the (small) risk of regression bugs.

A Binary-only Solution

The NetBSD Guide mentions sysupgrade, which I will describe in detail below.

First, we install sysupgrade by # pkgin install sysupgrade

Then, we visit http://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/ and "latest" takes it to the most recent build.

At the time of writing it goes to 202210060200Z.

Our port happens to be amd64, so we give the following command.

# sysupgrade auto http://nycdn.netbsd.org/pub/NetBSD-daily/netbsd-9/202210060200Z/amd64/

After some downloading and installation, something like the screenshot below might appear.

NetBSD asking about /etc/group

The diff shows that my additions of users and/or groups is going to be removed in /etc/group if I install the new file. Therefore, I answer d to keep my existing file.

Similar prompts are shown for a few more files.

For /etc/master.passwd, I answered d as it contains my additions of users and/or groups.

For /etc/motd, I answered i as I did not customize this file.

For /etc/mtree/set.etc, I answered i as I did not customize this file.

There was another question Remove /tmp/temproot? (y/[n]), I simply pressed Enter to use its default option.

Now we reboot the system.

After boot, checking the system info with neofetch and uname(1) suggests that we are indeed running a snapshot of NetBSD-9 built very recently.

NetBSD system info after upgrade

Technically we only checked the kernel build. Have seen the output of sysupgrade should convince us that the base system are updated as well.