Date: Tue, 05 Apr 2005 12:26:52 -0500 From: Kevin Kinsey <kdk@daleco.biz> To: John Hall <jawn@charter.net> Cc: questions@freebsd.org Subject: Re: PRERELEASE? Message-ID: <4252CA5C.9040706@daleco.biz> In-Reply-To: <3rr04b$oie03j@mxip02a.cluster1.charter.net> References: <3rr04b$oie03j@mxip02a.cluster1.charter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
John Hall wrote: >We currently have 5.4-PRERELEASE installed on our web box: > >outpost# uname -a >FreeBSD outpost.blacklotus.net 5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #0: Wed >Mar 30 13:38:38 MST 2005 >hallj@outpost.blacklotus.net:/usr/obj/usr/src/sys/OUTPOST i386 > >I need to know if we need to update the server to 5.4-RELEASE with this >version of 5.4 in order to protect against the sendfile kernel memory >problem in the security notice at: > >ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile. >asc > >Thanks! > >John Hall [jhall@lotuscom.net] >Manager of Operations >Black Lotus Communications >[http://www.blacklotus.net] > > I don't think it's possible to update to 5.4-RELEASE, as it doesn't exist yet AFAICT from the web site. I've not checked the CVS repo or mirrors, so I guess it's possible that it has been tagged in the last couple of days, though. Updating to any codebase from today or following the patch method outlined in the announcement should make you safe from this vulnerability. See the Handbook chapter on "the Cutting Edge". The RELEASE tag you'd want would be "RELENG_5", I expect. Whoops, OK: now I see that apparently 5.4 has been tagged. As mentioned in the advisory, you can either patch your system and recompile the kernel or update to one of seven different code paths to get the new code. If you server was built just a week ago, then 5.4-RELEASE sounds great for this purpose, and the only viable choices for you are RELENG_5, RELENG_5_4, or RELENG_5_3. However, the recommended procedure for the entire world reinstall includes some time (not much, probably) spent in single-user mode, so if this is a busy box that needs 99.99 percent uptime, maybe the kernel rebuild would be better, as a simple reboot on the new kernel would be the only thing required.... I'm sure that this statement might be open to debate.... Kevin Kinsey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4252CA5C.9040706>