From owner-freebsd-questions@FreeBSD.ORG Tue Apr 5 17:26:55 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5979E16A4CE for ; Tue, 5 Apr 2005 17:26:55 +0000 (GMT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0370443D41 for ; Tue, 5 Apr 2005 17:26:55 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 5 Apr 2005 12:29:25 -0500 Message-ID: <4252CA5C.9040706@daleco.biz> Date: Tue, 05 Apr 2005 12:26:52 -0500 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.3) Gecko/20041210 X-Accept-Language: en-us, en MIME-Version: 1.0 To: John Hall References: <3rr04b$oie03j@mxip02a.cluster1.charter.net> In-Reply-To: <3rr04b$oie03j@mxip02a.cluster1.charter.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 05 Apr 2005 17:29:26.0304 (UTC) FILETIME=[03CE8200:01C53A05] cc: questions@freebsd.org Subject: Re: PRERELEASE? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 17:26:55 -0000 John Hall wrote: >We currently have 5.4-PRERELEASE installed on our web box: > >outpost# uname -a >FreeBSD outpost.blacklotus.net 5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #0: Wed >Mar 30 13:38:38 MST 2005 >hallj@outpost.blacklotus.net:/usr/obj/usr/src/sys/OUTPOST i386 > >I need to know if we need to update the server to 5.4-RELEASE with this >version of 5.4 in order to protect against the sendfile kernel memory >problem in the security notice at: > >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile. >asc > >Thanks! > >John Hall [jhall@lotuscom.net] >Manager of Operations >Black Lotus Communications >[http://www.blacklotus.net] > > I don't think it's possible to update to 5.4-RELEASE, as it doesn't exist yet AFAICT from the web site. I've not checked the CVS repo or mirrors, so I guess it's possible that it has been tagged in the last couple of days, though. Updating to any codebase from today or following the patch method outlined in the announcement should make you safe from this vulnerability. See the Handbook chapter on "the Cutting Edge". The RELEASE tag you'd want would be "RELENG_5", I expect. Whoops, OK: now I see that apparently 5.4 has been tagged. As mentioned in the advisory, you can either patch your system and recompile the kernel or update to one of seven different code paths to get the new code. If you server was built just a week ago, then 5.4-RELEASE sounds great for this purpose, and the only viable choices for you are RELENG_5, RELENG_5_4, or RELENG_5_3. However, the recommended procedure for the entire world reinstall includes some time (not much, probably) spent in single-user mode, so if this is a busy box that needs 99.99 percent uptime, maybe the kernel rebuild would be better, as a simple reboot on the new kernel would be the only thing required.... I'm sure that this statement might be open to debate.... Kevin Kinsey