• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 768
  • Last Modified:

Applying security patches to FreeBSD 4.9-RELEASE

[Continued from http:Q_21080644.html#11733503 ....]

Where can I find the procedure for applying the security patches? I can't see anything resembling an idiot's guide at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html. Bearing in mind that I've just installed FreeBSD 4.9-RELEASE from the ISO, are there patches I need to apply?
0
rstaveley
Asked:
rstaveley
  • 3
  • 2
2 Solutions
 
hvdhelmCommented:
Read the Security Advisories <topics> there are is the total instructions to apply patches.

Normaly To Apply a patch:

# cd /usr/src
# patch < /path/to/patch

But read the patch intruction in the Security Advisories (http://www.freebsd.org/security)

0
 
rstaveleyAuthor Commented:
OK, I see there are 11 patches listed (on 6th August 2004) for FreeBSD 4.9-RELEASE:
--------8<--------
FreeBSD 4.9-RELEASE released.

FreeBSD-SA-03:15.openssh.asc
FreeBSD-SA-03:18.openssl.asc
FreeBSD-SA-03:17.procfs.asc
FreeBSD-SA-03:16.filedesc.asc
FreeBSD-SA-03:14.arp.asc
FreeBSD-SA-03:13.sendmail.asc
FreeBSD-SA-03:12.openssh.asc
FreeBSD-SA-03:11.sendmail.asc
FreeBSD-SA-03:10.ibcs2.asc
FreeBSD-SA-03:09.signal.asc
FreeBSD-SA-03:08.realpath.asc
--------8<--------

Three questions:

(1) Do I need to patch in chronological order?
(2) Is there a way to find out which patches have already been applied?
(3) Does it *harm* to re-apply a patch, which has already been applied?
0
 
hvdhelmCommented:
1) No not ensserarily, but read the patch intructions
2) Hmmzz.. no idea how...
3) No, if .. the system usealy warns or gives an error
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
gheistCommented:
Idiots guide:
1) run /stand/sysinstall
install net/cvsup-without-gui
you may need ports/netcat to connect via proxies and good knowledge of proxy protocols
2) create a file typically called supfile
*default tag=RELENG_4_9
*default host=cvsup.fr.freebsd.org
*default prefix=/usr
*default base=/usr/local/etc/cvsup
*default release=cvs
*default delete
*default use-rel-suffix
*default compress
*default umask=002

ports-all tag=. #ports are not tagged for releases, just a word from developers they build on any release
src-all
3) make cvsup work directory
mkdir -p /usr/local/etc/cvsup
optionally you can put rejects file there to avoid updating filesets in unknown language
optionally you can add doc-all to get new documentation (not necessary until you keep with same release
4) now run # cvsup supfile
this takes some time
5) now when kernel patches are in source tree you have you build kernel
cd /usr/src/sys/i386/conf
config GENERIC
cd ../../compile/GENERIC
make depend
make
make install
reboot
now if it fails at boot you can always escape to boot prompt and do unload and boot bsd.GENERIC
alternatively you can optimize kernel to some degree - copy GENERIC under different name and remove processors that you cannot fit into your mainboard, add SMP options, tune some drivers, remove those you do not have
6) now when it is rebooted you are ready to rebuild everything in base system
cd /usr/src
nice make -j 10 world # 10 is count of compile jobs, each takes 10M of RAM, nice to keep rest running
reboot # since you are newbie and do not know how to restart all daemons running
you can do some tuning to system, for instance adding CPUTYPE=p2 to /etc/make.conf , as from /etc/defaults/make.conf , but this is not necessary before your system overloads. (4.9 has GCC 2.95, which optimizes for PII processor and never higher)

7) if you see some port breaks go to port directory and run make clean ; make build ; make deinstall ; make package ; make clean - i.e.
remove files from previous build, compile all, remove old port, install new and create package for future, clean up after.

Just my own guide, works always, no attending of host required ( meaybe only when you overcustomize kernel )
cvsup can be replaced by cvs

Three questions:
(1) Yes - problems have been seen
(2) No (only cvsup/cvs tags version number into kernel)
(3) Yes - some patches are not protected against this
like ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch will add one line to one source file as much as needed, breking the kernel build or so
0
 
hvdhelmCommented:
Trust gheist he has far more experience than me! :o)
0
 
rstaveleyAuthor Commented:
Excellent post, gheist ... Many thanks :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now