Solved

Applying security patches to FreeBSD 4.9-RELEASE

Posted on 2004-08-06
6
747 Views
Last Modified: 2013-11-22
[Continued from http:Q_21080644.html#11733503 ....]

Where can I find the procedure for applying the security patches? I can't see anything resembling an idiot's guide at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html. Bearing in mind that I've just installed FreeBSD 4.9-RELEASE from the ISO, are there patches I need to apply?
0
Comment
Question by:rstaveley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 3

Assisted Solution

by:hvdhelm
hvdhelm earned 50 total points
ID: 11733706
Read the Security Advisories <topics> there are is the total instructions to apply patches.

Normaly To Apply a patch:

# cd /usr/src
# patch < /path/to/patch

But read the patch intruction in the Security Advisories (http://www.freebsd.org/security)

0
 
LVL 17

Author Comment

by:rstaveley
ID: 11733776
OK, I see there are 11 patches listed (on 6th August 2004) for FreeBSD 4.9-RELEASE:
--------8<--------
FreeBSD 4.9-RELEASE released.

FreeBSD-SA-03:15.openssh.asc
FreeBSD-SA-03:18.openssl.asc
FreeBSD-SA-03:17.procfs.asc
FreeBSD-SA-03:16.filedesc.asc
FreeBSD-SA-03:14.arp.asc
FreeBSD-SA-03:13.sendmail.asc
FreeBSD-SA-03:12.openssh.asc
FreeBSD-SA-03:11.sendmail.asc
FreeBSD-SA-03:10.ibcs2.asc
FreeBSD-SA-03:09.signal.asc
FreeBSD-SA-03:08.realpath.asc
--------8<--------

Three questions:

(1) Do I need to patch in chronological order?
(2) Is there a way to find out which patches have already been applied?
(3) Does it *harm* to re-apply a patch, which has already been applied?
0
 
LVL 3

Expert Comment

by:hvdhelm
ID: 11734554
1) No not ensserarily, but read the patch intructions
2) Hmmzz.. no idea how...
3) No, if .. the system usealy warns or gives an error
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 62

Accepted Solution

by:
gheist earned 100 total points
ID: 11735111
Idiots guide:
1) run /stand/sysinstall
install net/cvsup-without-gui
you may need ports/netcat to connect via proxies and good knowledge of proxy protocols
2) create a file typically called supfile
*default tag=RELENG_4_9
*default host=cvsup.fr.freebsd.org
*default prefix=/usr
*default base=/usr/local/etc/cvsup
*default release=cvs
*default delete
*default use-rel-suffix
*default compress
*default umask=002

ports-all tag=. #ports are not tagged for releases, just a word from developers they build on any release
src-all
3) make cvsup work directory
mkdir -p /usr/local/etc/cvsup
optionally you can put rejects file there to avoid updating filesets in unknown language
optionally you can add doc-all to get new documentation (not necessary until you keep with same release
4) now run # cvsup supfile
this takes some time
5) now when kernel patches are in source tree you have you build kernel
cd /usr/src/sys/i386/conf
config GENERIC
cd ../../compile/GENERIC
make depend
make
make install
reboot
now if it fails at boot you can always escape to boot prompt and do unload and boot bsd.GENERIC
alternatively you can optimize kernel to some degree - copy GENERIC under different name and remove processors that you cannot fit into your mainboard, add SMP options, tune some drivers, remove those you do not have
6) now when it is rebooted you are ready to rebuild everything in base system
cd /usr/src
nice make -j 10 world # 10 is count of compile jobs, each takes 10M of RAM, nice to keep rest running
reboot # since you are newbie and do not know how to restart all daemons running
you can do some tuning to system, for instance adding CPUTYPE=p2 to /etc/make.conf , as from /etc/defaults/make.conf , but this is not necessary before your system overloads. (4.9 has GCC 2.95, which optimizes for PII processor and never higher)

7) if you see some port breaks go to port directory and run make clean ; make build ; make deinstall ; make package ; make clean - i.e.
remove files from previous build, compile all, remove old port, install new and create package for future, clean up after.

Just my own guide, works always, no attending of host required ( meaybe only when you overcustomize kernel )
cvsup can be replaced by cvs

Three questions:
(1) Yes - problems have been seen
(2) No (only cvsup/cvs tags version number into kernel)
(3) Yes - some patches are not protected against this
like ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch will add one line to one source file as much as needed, breking the kernel build or so
0
 
LVL 3

Expert Comment

by:hvdhelm
ID: 11735204
Trust gheist he has far more experience than me! :o)
0
 
LVL 17

Author Comment

by:rstaveley
ID: 11735301
Excellent post, gheist ... Many thanks :-)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
auto mounter on hp-ux 2 66
cron job says it ran, no results 25 136
Sed question 2 139
Need a version of telnet and/or ssh that supports tcp wrappers on AIX 5.1 16 112
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question