Date: Sun, 19 Feb 2012 18:49:56 +0100 From: Nikola =?utf-8?B?UGF2bG92acSH?= <nzp@riseup.net> To: freebsd-questions@freebsd.org Subject: Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3 Message-ID: <20120219174956.GA34784@sputnjik.localdomain> In-Reply-To: <CAJ5UdcPAUjet58p5AJrj5VUyO-Vdhz1S4PkBNC0=4M2dMUe=hw@mail.gmail.com> References: <CAJ5UdcOobT8jmUM7KpweU1sjie4P8HvQcA0vNMQdO66ZTHXHkA@mail.gmail.com> <201202190204.q1J24gJx080884@mail.r-bonomi.com> <CAJ5UdcO%2Bx6oEuEWL4%2Bfh1TanEv1vCCnOSi%2BaZ-bcQBsehuqKsA@mail.gmail.com> <4F40CD81.1000708@infracaninophile.co.uk> <CAJ5UdcPAUjet58p5AJrj5VUyO-Vdhz1S4PkBNC0=4M2dMUe=hw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 19, 2012 at 05:17:59AM -0600, Antonio Olivares wrote: > On Sun, Feb 19, 2012 at 4:22 AM, Matthew Seaman > <m.seaman@infracaninophile.co.uk> wrote: > > Here is the thing I alluded to under option (1). The security patch for > > the unix domain socket problem came out in two chunks. There was an > > original patch to fix the actual security problem, then a later followup > > patch to fix a bug that exposed in the linux emulation layer. It is > > possible to tell this from the text of the advisory as it exists at the > > moment, but you might not see it unless you are looking for it. The > > important bit of text is this: > > > > NOTE: The patch distributed at the time of the original advisory fixed > > the security vulnerability but exposed the pre-existing bug in the > > linux emulation subsystem. Systems to which the original patch was > > applied should be patched with the following corrective patch, which > > contains only the additional changes required to fix the newly- > > exposed linux emulation bug: > > > > Given that the second part of the patch was actually not a security fix, > > there would not have been a modified kernel distributed. So you got a > > bundle of three advisories issued together on 2011-09-28 resulting in > > FreeBSD 8.2-RELEASE-p3. Then later on, at 2011-10-04 a further update > > was issued modifying FreeBSD-SA-11:05-unix and technically taking the > > system to FreeBSD 8.2-RELEASE-p4. However, as this was not a security > > fix, it was not applied to the freebsd-update distribution channel. As > > none of the updates since then have touched the kernel, it will still > > show -p3 even though you are in fact fully patched against all known > > security problems. > > I hope this is the case, but that -p3 makes me think? I am hesistant If it will feel you more confident that everything is OK, I too have -p3 reported from the kernel, but -p6 in newvers.sh. I remember a discussion shortly after FreeBSD-SA-11:05-unix (maybe on freebsd-security@ but I'm not sure) about this confusion with patch level reported and if I remember correctly the conclusion was in agreement with what Matthew wrote above. > > Thank you very much for your kind explanation and hopefully I am in > the (4) category. How does one know when a new 8.2-RELEASE-pX, has > been released? where X is a number >= 6? > You could follow freebsd-announce@, and/or optionally freebsd-security@. All security advisories and errata patches are announced there. Alternatively, there are http://www.freebsd.org/security/advisories.html and http://www.freebsd.org/security/notices.html pages along with their RSS feeds http://www.freebsd.org/security/rss.xml and http://www.freebsd.org/security/errata.xml, respectively. -- "Have you lived here all your life?" "Oh, twice that long."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120219174956.GA34784>