From owner-freebsd-questions@FreeBSD.ORG Mon Nov 14 16:11:35 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A9AD106564A for ; Mon, 14 Nov 2011 16:11:35 +0000 (UTC) (envelope-from tomc@bio.umass.edu) Received: from marlin.bio.umass.edu (marlin.bio.umass.edu [128.119.55.19]) by mx1.freebsd.org (Postfix) with ESMTP id 67C188FC14 for ; Mon, 14 Nov 2011 16:11:35 +0000 (UTC) Received: from [172.30.55.86] (neutopia.bio.umass.edu [128.119.55.8]) (authenticated bits=0) by marlin.bio.umass.edu (8.14.4/8.14.4) with ESMTP id pAEFnB4l005969 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 14 Nov 2011 10:49:15 -0500 (EST) Message-ID: <4EC13877.3070704@bio.umass.edu> Date: Mon, 14 Nov 2011 10:49:11 -0500 From: Tom Carpenter User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110922 Lightning/1.0b2 Thunderbird/3.1.15 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <005301cca2b7$add11f20$09735d60$@co.ke> In-Reply-To: <005301cca2b7$add11f20$09735d60$@co.ke> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (marlin.bio.umass.edu [128.119.55.19]); Mon, 14 Nov 2011 10:49:15 -0500 (EST) X-Scanned-By: MIMEDefang 2.68 on 128.119.55.19 Subject: Re: 8.2-RELEASE-p4 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2011 16:11:35 -0000 Do you anticipate the release of an fix/update that will allow systems to be patched to -p4 or later via freebsd-update? -Tom Carpenter On 11/14/2011 05:25 AM, Evalyn wrote: > It touches the kernel but you need to do make builkernel/make installkernel > before uname -a shows "8.2-RELEASE-p4". > > Regards, > Evalyn > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Matthew Seaman > Sent: 12 November 2011 02:03 > To: Robert Simmons > Cc: freebsd-questions@freebsd.org > Subject: Re: 8.2-RELEASE-p4 > > On 11/11/2011 21:03, Robert Simmons wrote: >>> Note that if a security update is just to some userland programs, >>>> freebsd-update won't touch the OS kernel, so the reported version >>>> number doesn't change even though the update has been applied. In >>>> these sort of cases, it's not necessary to reboot, just to restart >>>> any long running processes (if any) affected by the update. The >>>> security advisory should have more detailed instructions about >>>> exactly what to do. (The -p2 to >>>> -p3 update was like this, but the -p3 to -p4 update definitely did >>>> affect the kernel so a reboot was necessary.) >> I'm not confident that you are correct here. See above. Either p3-p4 >> did not touch the kernel, or the OP has a legitimate question. > Interesting. I based what I said on the text of the security advisories: > > http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc > http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc > > Specifically the 'Corrected:' section near the top. I think it's clear that > FreeBSD-SA-11:04.compress (Corrected in 8.2-RELEASE-p3) doesn't involve > anything in the kernel but FreeBSD-SA-11:05.unix (Corrected in > 8.2-RELEASE-p4) is entirely within the kernel code. Except those advisories > aren't telling the whole story. > > Lets look at r226023 in SVN. That's the revision quoted in the 11.05 > advisory. The log for newvers.sh in > > http://svnweb.freebsd.org/base/releng/8.2/sys/conf/newvers.sh?view=log&pathr > ev=226023 > > says that the patches in RELEASE-p4 were not actually the security fix > -- rather they fixed a problem revealed by the actual security fix, which > was applied simultaneously with the patches in FreeBSD-SA-11:04.compress. > 11.05 was committed in two blobs spanning > -p3 and -p4. > > So, the good news is that if you have at least 8.2-RELEASE-p3 then you don't > have any (known) security holes. However if you don't have the patches in > 8.2-RELEASE-p4 then linux apps run under emulation will crash if they use > unix domain sockets. The flash plugin for FireFox being the most prominent > example as I recall. > > Now the updates for -p4 certainly should have touched the kernel, and > certainly should have resulted in an updated uname string[*]. There should > also be a note about -p4 in /usr/src/UPDATING. Starting to wonder if the > -p4 patches are actually available via freebsd-update(8) > -- could they have been omitted because it wasn't actually a security fix? > Odd that no one would have commented in a whole month if so. > > Cheers, > > Matthew > > > > [*] strings /boot/kernel/kernel | grep '8\.2-' should give the same > results as uname(1): if it's different then the running kernel is not the > same as the one on disk... > >