Solved

Applying security patches to FreeBSD 4.9-RELEASE

Posted on 2004-08-06
6
739 Views
Last Modified: 2013-11-22
[Continued from http:Q_21080644.html#11733503 ....]

Where can I find the procedure for applying the security patches? I can't see anything resembling an idiot's guide at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html. Bearing in mind that I've just installed FreeBSD 4.9-RELEASE from the ISO, are there patches I need to apply?
0
Comment
Question by:rstaveley
  • 3
  • 2
6 Comments
 
LVL 3

Assisted Solution

by:hvdhelm
hvdhelm earned 50 total points
ID: 11733706
Read the Security Advisories <topics> there are is the total instructions to apply patches.

Normaly To Apply a patch:

# cd /usr/src
# patch < /path/to/patch

But read the patch intruction in the Security Advisories (http://www.freebsd.org/security)

0
 
LVL 17

Author Comment

by:rstaveley
ID: 11733776
OK, I see there are 11 patches listed (on 6th August 2004) for FreeBSD 4.9-RELEASE:
--------8<--------
FreeBSD 4.9-RELEASE released.

FreeBSD-SA-03:15.openssh.asc
FreeBSD-SA-03:18.openssl.asc
FreeBSD-SA-03:17.procfs.asc
FreeBSD-SA-03:16.filedesc.asc
FreeBSD-SA-03:14.arp.asc
FreeBSD-SA-03:13.sendmail.asc
FreeBSD-SA-03:12.openssh.asc
FreeBSD-SA-03:11.sendmail.asc
FreeBSD-SA-03:10.ibcs2.asc
FreeBSD-SA-03:09.signal.asc
FreeBSD-SA-03:08.realpath.asc
--------8<--------

Three questions:

(1) Do I need to patch in chronological order?
(2) Is there a way to find out which patches have already been applied?
(3) Does it *harm* to re-apply a patch, which has already been applied?
0
 
LVL 3

Expert Comment

by:hvdhelm
ID: 11734554
1) No not ensserarily, but read the patch intructions
2) Hmmzz.. no idea how...
3) No, if .. the system usealy warns or gives an error
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 62

Accepted Solution

by:
gheist earned 100 total points
ID: 11735111
Idiots guide:
1) run /stand/sysinstall
install net/cvsup-without-gui
you may need ports/netcat to connect via proxies and good knowledge of proxy protocols
2) create a file typically called supfile
*default tag=RELENG_4_9
*default host=cvsup.fr.freebsd.org
*default prefix=/usr
*default base=/usr/local/etc/cvsup
*default release=cvs
*default delete
*default use-rel-suffix
*default compress
*default umask=002

ports-all tag=. #ports are not tagged for releases, just a word from developers they build on any release
src-all
3) make cvsup work directory
mkdir -p /usr/local/etc/cvsup
optionally you can put rejects file there to avoid updating filesets in unknown language
optionally you can add doc-all to get new documentation (not necessary until you keep with same release
4) now run # cvsup supfile
this takes some time
5) now when kernel patches are in source tree you have you build kernel
cd /usr/src/sys/i386/conf
config GENERIC
cd ../../compile/GENERIC
make depend
make
make install
reboot
now if it fails at boot you can always escape to boot prompt and do unload and boot bsd.GENERIC
alternatively you can optimize kernel to some degree - copy GENERIC under different name and remove processors that you cannot fit into your mainboard, add SMP options, tune some drivers, remove those you do not have
6) now when it is rebooted you are ready to rebuild everything in base system
cd /usr/src
nice make -j 10 world # 10 is count of compile jobs, each takes 10M of RAM, nice to keep rest running
reboot # since you are newbie and do not know how to restart all daemons running
you can do some tuning to system, for instance adding CPUTYPE=p2 to /etc/make.conf , as from /etc/defaults/make.conf , but this is not necessary before your system overloads. (4.9 has GCC 2.95, which optimizes for PII processor and never higher)

7) if you see some port breaks go to port directory and run make clean ; make build ; make deinstall ; make package ; make clean - i.e.
remove files from previous build, compile all, remove old port, install new and create package for future, clean up after.

Just my own guide, works always, no attending of host required ( meaybe only when you overcustomize kernel )
cvsup can be replaced by cvs

Three questions:
(1) Yes - problems have been seen
(2) No (only cvsup/cvs tags version number into kernel)
(3) Yes - some patches are not protected against this
like ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:02/shmat.patch will add one line to one source file as much as needed, breking the kernel build or so
0
 
LVL 3

Expert Comment

by:hvdhelm
ID: 11735204
Trust gheist he has far more experience than me! :o)
0
 
LVL 17

Author Comment

by:rstaveley
ID: 11735301
Excellent post, gheist ... Many thanks :-)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question