Binary patches for the "Heartbleed" OpenSSL vulnerability.	9 April 2014
==========================================================

Background
----------

On 7 April 2014, a serious vulnerability in OpenSSL was announced.  It's
being called the "Heartbleed" bug, and has identifier CVE-2014-1060.
See <http://heartbleed.com>.  OpenSSL versions from 1.0.1 to 1.0.1f are
vulberable, and version 1.0.1g is fixed.

Affected versions of NetBSD
---------------------------

NetBSD-5.0 and older: Not affected, because these versions of NetBSD
	contain older versions of OpenSSL.

NetBSD-6.0 branch: Versions from 6.0 to 6.0.4 are affected.  The files
	in this directory apply to these versions.  NetBSD 6.0.5 will
	contain OpenSSL version 1.0.1g, which is fixed.

NetBSD-6.1 branch: Versions from 6.1 to 6.1.3 are affected.  The files
	in this directory apply to these versions.  NetBSD 6.1.4 will
	contain OpenSSL version 1.0.1g, which is fixed.

NetBSD-current: NetBSD-current versions from June 2011 until 8 April
	2014 contain vulnerable versions of OpenSSL 1.0.1.  Users of
	NetBSD-current should update their systems from source.

Pkgsrc: Pkgsrc versions of OpenSSL from openssl-1.0.1 to openssl-1.0.1fnb1
	are vulnerable.  Pkgsrc openssl-1.0.1g is fixed.
	Regardless of what version of NetBSD you use, if you are using a
	version of OpenSSL from pkgsrc, then you should update to pkgsrc
	openssl-1.0.1g or later.

These files
-----------

The files in this directory apply to NetBSD versions from 6.0 to 6.0.4,
and 6.1 to 6.1.3, as well as any systems built from a netbsd-6* branch
before 8 April 2014.

These files contain libcrypto.8.2 and libssl.10.3 for
NetBSD 6.X systems, which should patch the "heartbleed"
OpenSSL vulnerability. SHA512 and MD5 checksums are included - please
verify them before installing.

PLEASE make sure to grab the right one for your architecture, which
in most cases is indicated by the output of "uname -m".

To apply, untar as root as follows:

# cd /
# tar xpzf /path/to/file.tgz

...and then verify that "openssl version" shows the new libs in
use:

# openssl version
WARNING: can't open config file: /etc/openssl/openssl.cnf
OpenSSL 1.0.1c 10 May 2012 (Library: OpenSSL 1.0.1g 7 Apr 2014)
#

You will then need to restart any webservers or anything else using
OpenSSL.

NOTE: it is recommended to upgrade to NetBSD 6.0.5, or 6.1.4, or 6.2,
when they become available.