Solved

Applying security patches to FreeBSD 4.9-RELEASE

Posted on 2004-08-06
6
734 Views
Last Modified: 2013-11-22
[Continued from http:Q_21080644.html#11733503 ....]

Where can I find the procedure for applying the security patches? I can't see anything resembling an idiot's guide at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html. Bearing in mind that I've just installed FreeBSD 4.9-RELEASE from the ISO, are there patches I need to apply?
0
Comment
Question by:rstaveley
  • 3
  • 2
6 Comments
 
LVL 1

Assisted Solution

by:hvdhelm
hvdhelm earned 50 total points
ID: 11733706
Read the Security Advisories <topics> there are is the total instructions to apply patches.

Normaly To Apply a patch:

# cd /usr/src
# patch < /path/to/patch

But read the patch intruction in the Security Advisories (http://www.freebsd.org/security)

0
 
LVL 17

Author Comment

by:rstaveley
ID: 11733776
OK, I see there are 11 patches listed (on 6th August 2004) for FreeBSD 4.9-RELEASE:
--------8<--------
FreeBSD 4.9-RELEASE released.

FreeBSD-SA-03:15.openssh.asc
FreeBSD-SA-03:18.openssl.asc
FreeBSD-SA-03:17.procfs.asc
FreeBSD-SA-03:16.filedesc.asc
FreeBSD-SA-03:14.arp.asc
FreeBSD-SA-03:13.sendmail.asc
FreeBSD-SA-03:12.openssh.asc
FreeBSD-SA-03:11.sendmail.asc
FreeBSD-SA-03:10.ibcs2.asc
FreeBSD-SA-03:09.signal.asc
FreeBSD-SA-03:08.realpath.asc
--------8<--------

Three questions:

(1) Do I need to patch in chronological order?
(2) Is there a way to find out which patches have already been applied?
(3) Does it *harm* to re-apply a patch, which has already been applied?
0
 
LVL 1

Expert Comment

by:hvdhelm
ID: 11734554
1) No not ensserarily, but read the patch intructions
2) Hmmzz.. no idea how...
3) No, if .. the system usealy warns or gives an error
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Accepted Solution

by:
gheist earned 100 total points
ID: 11735111
Idiots guide:
1) run /stand/sysinstall
install net/cvsup-without-gui
you may need ports/netcat to connect via proxies and good knowledge of proxy protocols
2) create a file typically called supfile
*default tag=RELENG_4_9
*default host=cvsup.fr.freebsd.org
*default prefix=/usr
*default base=/usr/local/etc/cvsup
*default release=cvs
*default delete
*default use-rel-suffix
*default compress
*default umask=002

ports-all tag=. #ports are not tagged for releases, just a word from developers they build on any release
src-all
3) make cvsup work directory
mkdir -p /usr/local/etc/cvsup
optionally you can put rejects file there to avoid updating filesets in unknown language
optionally you can add doc-all to get new documentation (not necessary until you keep with same release
4) now run # cvsup supfile
this takes some time
5) now when kernel patches are in source tree you have you build kernel
cd /usr/src/sys/i386/conf
config GENERIC
cd ../../compile/GENERIC
make depend
make
make install
reboot
now if it fails at boot you can always escape to boot prompt and do unload and boot bsd.GENERIC
alternatively you can optimize kernel to some degree - copy GENERIC under different name and remove processors that you cannot fit into your mainboard, add SMP options, tune some drivers, remove those you do not have
6) now when it is rebooted you are ready to rebuild everything in base system
cd /usr/src
nice make -j 10 world # 10 is count of compile jobs, each takes 10M of RAM, nice to keep rest running
reboot # since you are newbie and do not know how to restart all daemons running
you can do some tuning to system, for instance adding CPUTYPE=p2 to /etc/make.conf , as from /etc/defaults/make.conf , but this is not necessary before your system overloads. (4.9 has GCC 2.95, which optimizes for PII processor and never higher)

7) if you see some port breaks go to port directory and run make clean ; make build ; make deinstall ; make package ; make clean - i.e.
remove files from previous build, compile all, remove old port, install new and create package for future, clean up after.

Just my own guide, works always, no attending of host required ( meaybe only when you overcustomize kernel )
cvsup can be replaced by cvs

Three questions:
(1) Yes - problems have been seen
(2) No (only cvsup/cvs tags version number into kernel)
(3) Yes - some patches are not protected against this
like ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch will add one line to one source file as much as needed, breking the kernel build or so
0
 
LVL 1

Expert Comment

by:hvdhelm
ID: 11735204
Trust gheist he has far more experience than me! :o)
0
 
LVL 17

Author Comment

by:rstaveley
ID: 11735301
Excellent post, gheist ... Many thanks :-)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now