Solved

Applying security patches to FreeBSD 4.9-RELEASE

Posted on 2004-08-06
6
736 Views
Last Modified: 2013-11-22
[Continued from http:Q_21080644.html#11733503 ....]

Where can I find the procedure for applying the security patches? I can't see anything resembling an idiot's guide at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html. Bearing in mind that I've just installed FreeBSD 4.9-RELEASE from the ISO, are there patches I need to apply?
0
Comment
Question by:rstaveley
  • 3
  • 2
6 Comments
 
LVL 3

Assisted Solution

by:hvdhelm
hvdhelm earned 50 total points
ID: 11733706
Read the Security Advisories <topics> there are is the total instructions to apply patches.

Normaly To Apply a patch:

# cd /usr/src
# patch < /path/to/patch

But read the patch intruction in the Security Advisories (http://www.freebsd.org/security)

0
 
LVL 17

Author Comment

by:rstaveley
ID: 11733776
OK, I see there are 11 patches listed (on 6th August 2004) for FreeBSD 4.9-RELEASE:
--------8<--------
FreeBSD 4.9-RELEASE released.

FreeBSD-SA-03:15.openssh.asc
FreeBSD-SA-03:18.openssl.asc
FreeBSD-SA-03:17.procfs.asc
FreeBSD-SA-03:16.filedesc.asc
FreeBSD-SA-03:14.arp.asc
FreeBSD-SA-03:13.sendmail.asc
FreeBSD-SA-03:12.openssh.asc
FreeBSD-SA-03:11.sendmail.asc
FreeBSD-SA-03:10.ibcs2.asc
FreeBSD-SA-03:09.signal.asc
FreeBSD-SA-03:08.realpath.asc
--------8<--------

Three questions:

(1) Do I need to patch in chronological order?
(2) Is there a way to find out which patches have already been applied?
(3) Does it *harm* to re-apply a patch, which has already been applied?
0
 
LVL 3

Expert Comment

by:hvdhelm
ID: 11734554
1) No not ensserarily, but read the patch intructions
2) Hmmzz.. no idea how...
3) No, if .. the system usealy warns or gives an error
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 61

Accepted Solution

by:
gheist earned 100 total points
ID: 11735111
Idiots guide:
1) run /stand/sysinstall
install net/cvsup-without-gui
you may need ports/netcat to connect via proxies and good knowledge of proxy protocols
2) create a file typically called supfile
*default tag=RELENG_4_9
*default host=cvsup.fr.freebsd.org
*default prefix=/usr
*default base=/usr/local/etc/cvsup
*default release=cvs
*default delete
*default use-rel-suffix
*default compress
*default umask=002

ports-all tag=. #ports are not tagged for releases, just a word from developers they build on any release
src-all
3) make cvsup work directory
mkdir -p /usr/local/etc/cvsup
optionally you can put rejects file there to avoid updating filesets in unknown language
optionally you can add doc-all to get new documentation (not necessary until you keep with same release
4) now run # cvsup supfile
this takes some time
5) now when kernel patches are in source tree you have you build kernel
cd /usr/src/sys/i386/conf
config GENERIC
cd ../../compile/GENERIC
make depend
make
make install
reboot
now if it fails at boot you can always escape to boot prompt and do unload and boot bsd.GENERIC
alternatively you can optimize kernel to some degree - copy GENERIC under different name and remove processors that you cannot fit into your mainboard, add SMP options, tune some drivers, remove those you do not have
6) now when it is rebooted you are ready to rebuild everything in base system
cd /usr/src
nice make -j 10 world # 10 is count of compile jobs, each takes 10M of RAM, nice to keep rest running
reboot # since you are newbie and do not know how to restart all daemons running
you can do some tuning to system, for instance adding CPUTYPE=p2 to /etc/make.conf , as from /etc/defaults/make.conf , but this is not necessary before your system overloads. (4.9 has GCC 2.95, which optimizes for PII processor and never higher)

7) if you see some port breaks go to port directory and run make clean ; make build ; make deinstall ; make package ; make clean - i.e.
remove files from previous build, compile all, remove old port, install new and create package for future, clean up after.

Just my own guide, works always, no attending of host required ( meaybe only when you overcustomize kernel )
cvsup can be replaced by cvs

Three questions:
(1) Yes - problems have been seen
(2) No (only cvsup/cvs tags version number into kernel)
(3) Yes - some patches are not protected against this
like ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch will add one line to one source file as much as needed, breking the kernel build or so
0
 
LVL 3

Expert Comment

by:hvdhelm
ID: 11735204
Trust gheist he has far more experience than me! :o)
0
 
LVL 17

Author Comment

by:rstaveley
ID: 11735301
Excellent post, gheist ... Many thanks :-)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now