From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 20:05:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0F04106564A; Sat, 1 Oct 2011 20:05:32 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 38D5D8FC1D; Sat, 1 Oct 2011 20:05:32 +0000 (UTC) Received: from p549a212b.dip.t-dialin.net ([84.154.33.43] helo=[192.168.178.51]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.73 (FreeBSD)) (envelope-from ) id 1RA5Xn-0000PB-0B; Sat, 01 Oct 2011 21:48:19 +0200 Mime-Version: 1.0 (Apple Message framework v1251) Content-Type: text/plain; charset=iso-8859-1 From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <4E86A12E.3070600@FreeBSD.org> Date: Sat, 1 Oct 2011 21:48:21 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <808B16DD-6AC6-438D-B2AE-895C5875EFC5@anduin.net> References: <201110010410.p914Ap3F001617@chilled.skew.org> <4E86A12E.3070600@FreeBSD.org> To: Doug Barton X-Mailer: Apple Mail (2.1251) X-SA-Exim-Connect-IP: 84.154.33.43 X-SA-Exim-Mail-From: ltning@anduin.net X-SA-Exim-Scanned: No (on mail.anduin.net); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org, Mike Brown , Eitan Adler Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 20:05:32 -0000 On Oct 1, 2011, at 07:12, Doug Barton wrote: > On 09/30/2011 21:10, Mike Brown wrote: >> Eitan Adler wrote: >>>> do I reboot for this one, or not? >>> The kernel is changed, so yes. >>=20 >> Thanks. I had guessed a reboot was needed, but the advisory only = mentioned a=20 >> reboot in the context of building the kernel from sources. Hopefully, = when a=20 >> reboot is required, future advisories will mention it in the = freebsd-update(8)=20 >> instructions. >=20 > When would a reboot not be needed for a kernel change? Try this: When freebsd-update doesn't actually tell you to reboot. I would expect freebsd-update to inform me that I need to reboot if = anything in /boot (or at least /boot/kernel) was touched. In particular = when /boot/kernel/kernel was touched. I know I've been told by = freebsd-update to do a two-stage update in the past (freebsd-update = install, reboot single-user, freebsd-update install again) - I had = expected it to do the same this time, but it didn't on any of the = dozen-and-a-half systems I ran it on. When looking at the list of files changed between 8.2-RELEASE-p2 and = -p3, the /boot/kernel/kernel is easily missed among them. It's easily = concieveable that a system gets patched and then not rebooted for months = in a case like this. /Eirik=