Date: Mon, 23 Jun 2003 13:23:12 +0300 From: Jim Xochellis <dxoch@escape.gr> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: About Patches Message-ID: <B1471F0C-A564-11D7-B54A-003065C4E486@escape.gr> In-Reply-To: <20030623094444.GB27760@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Many thanks Matthew, you have been very helpful. Regards, Jim Xochellis On Monday, June 23, 2003, at 12:44 PM, Matthew Seaman wrote: > On Mon, Jun 23, 2003 at 11:54:54AM +0300, Jim Xochellis wrote: >> Hi List, >> >> I need to apply some security patches to my FreeBSD(i386) 4.7-RELEASE >> box and I am concerned about the possibility that I could actually >> harm >> my system while trying to apply this patches. (I am not a Unix guru >> actually) > > Fear not: security patches are very well tested and should do what > they claim without unpleasant side effects. Even if there were > problems with a patch in the early stages, it would soon be detected > and corrected -- as there hasn't been a security patch since > FreeBSD-SA-03:07.sendmail at the end of March, I don't think you have > to worry on that score. > >> 1) Do I have to apply the security patches in a specific order? > > Preferably in the order that they were issued, although you can > probably get away with a different order for patches that apply to > distinct parts of the sources. > >> 2) Is there a chance were a patch requires a previous one? (In my case >> some patches are not applicable) > > Source patches will generally be made against the previous patch level > of which ever release branch is involved. So, yes, you will have to > apply pre-requisite patches in some circumstances. Any necessary > prerequisites will be documented in the advisory: Eg. see > > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA- > 03%3A06.openssl.asc > > which states: > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 4.6, > 4.7, > and 5.0 systems which have already been patched for the issues > resolved > in FreeBSD-SA-03:02.openssl. > >> 3) What if the code is not in the state that the patch requires? (For >> instance if I have updated that port) > > FreeBSD security advisories generally only apply to the base system, > and patches will only be issued for the system sources. Security > problems to do with ported software are usually announced via security > notices. In general, you should use cvsup(1) to update your ports > tree and a tool like portupgrade(1) to update any ports software. > > Note that ports don't follow the same -CURRENT, -STABLE, -RELEASE > structure as the system sources. At most, all that happens is the > ports tree will be tagged in CVS as a record of it's state when a > particular release was made. When updating, you should simply aim to > install the latest available versions of ported software. > > In fact, as a general mechanism to keep your system sources up to > date, I'd recommend that you use cvsup(1) to track the RELENG_4_7 > branch. This will effectively act as an automated mechanism to apply > the same security patches as released separately, but with less chance > of operator error. See > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html > for instructions -- you should base any supfile you use on > /usr/share/examples/cvsup/standard-supfile, which apart from not > specifying which cvsup server to use is pretty much all you need to > keep your 4.7-RELEASE sources up to date. (The ports-supfile in the > same directory will do the equivalent for the ports sources.) > >> 4) Are the patches clever enough to protect me from harming my system? > > No. You need to take care and think about what you're doing while > updating the system. Having said that, the patches aren't unduely > difficult to use, and if you follow the instructions you'll be just > fine. > >> 5) Is there a safe way to undo a patch? > > Make sure you have good backups, which you have tested to ensure you > can recover the system. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > PGP: http://www.infracaninophile.co.uk/pgpkey Marlow > Tel: +44 1628 476614 Bucks., SL7 1TH > UK > <mime-attachment>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B1471F0C-A564-11D7-B54A-003065C4E486>