Date: Sun, 19 Feb 2012 05:17:59 -0600 From: Antonio Olivares <olivares14031@gmail.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3 Message-ID: <CAJ5UdcPAUjet58p5AJrj5VUyO-Vdhz1S4PkBNC0=4M2dMUe=hw@mail.gmail.com> In-Reply-To: <4F40CD81.1000708@infracaninophile.co.uk> References: <CAJ5UdcOobT8jmUM7KpweU1sjie4P8HvQcA0vNMQdO66ZTHXHkA@mail.gmail.com> <201202190204.q1J24gJx080884@mail.r-bonomi.com> <CAJ5UdcO%2Bx6oEuEWL4%2Bfh1TanEv1vCCnOSi%2BaZ-bcQBsehuqKsA@mail.gmail.com> <4F40CD81.1000708@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 19, 2012 at 4:22 AM, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > On 19/02/2012 02:06, Antonio Olivares wrote: >> On Sat, Feb 18, 2012 at 8:04 PM, Robert Bonomi <bonomi@mail.r-bonomi.com= > wrote: >>> >>> Antonio, >>> =A0The 'upgrade' from _P5_ to P6 did not touch the kernel, hence the ke= rnel ID >>> did not change. >>> >>> =A0Going from P3 =A0you should have seen a kernel update. >>> >>> =A0what do you see if you do "strings /boot/kernel/kernel |grep 8" >> >> It is a big file so I'll paste it to pastebin temporarily: >> >> http://pastebin.com/K1PsTa0P > > Heh. =A0The interesting bit is on line 4301 -- the last line of that > output. =A0A slightly more selective grep term would have been a good ide= a. > > Anyhow, that shows the kernel on your system is 8.2-RELEASE-p3. =A0Which > implies that something ain't right somewhere. > > Four possibilities, roughly in order of severity: > > =A0 1) None of the security patches between p3 and p6 did actually > =A0 =A0 =A0touch the kernel. =A0You can tell if this was the case by look= ing > =A0 =A0 =A0at the list of modified files in the security advisory. =A0The > =A0 =A0 =A0kernel is affected if any files under sys have been > =A0 =A0 =A0modified other than src/sys/conf/newvers.sh > > =A0 =A0 =A0The last advisory that did touch the kernel was > =A0 =A0 =A0http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.a= sc > > =A0 =A0 =A0which should have given you 8.2-RELEASE-p4. =A0However -- see > =A0 =A0 =A0below. > > =A0 2) An oversight in the freebsd-update process upstream meaning that > =A0 =A0 =A0the operational patches were applied, but not the changes to t= he > =A0 =A0 =A0kernel version number when the replacement kernel was compiled= . > =A0 =A0 =A0Unlikely, as newvers.sh is always updated on each of the secur= ity > =A0 =A0 =A0branches even if the update doesn't touch the kernel. > > =A0 3) You've told freebsd-update not to touch your kernel. =A0Unlikely, > =A0 =A0 =A0and not in the default config, but useful where people need to > =A0 =A0 =A0use a custom kernel and maintain the rest of the system with > =A0 =A0 =A0freebsd-update. > > =A0 =A0 =A0In this case, you'ld have modified /etc/freebsd-update.conf to > =A0 =A0 =A0change: > > =A0 =A0 =A0 =A0Components src world kernel > > =A0 =A0 =A0to read: > > =A0 =A0 =A0 =A0Components src world > > =A0 =A0 =A0Also you should be expecting to have to rebuild your kernel fr= om > =A0 =A0 =A0sources, so I doubt this is the case. /etc/freebsd-update.conf has: =3D=3D=3D=3D=3Dline 1 col 0 lines from top 1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D # $FreeBSD: src/etc/freebsd-update.conf,v 1.6.2.2.6.1 2010/12/21 17:09:25 k= ensmi # Trusted keyprint. Changing this is a Bad Idea unless you've received # a PGP-signed email from <security-officer@FreeBSD.org> telling you to # change it and explaining why. KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5 # Server or server pool from which to fetch updates. You can change # this to point at a specific server if you want, but in most cases # using a "nearby" server won't provide a measurable improvement in # performance. ServerName update.FreeBSD.org # Components of the base system which should be kept updated. Components src world kernel ..... removed to save space .... > > =A0 4) The kernel wasn't patched properly and hasn't been updated and > =A0 =A0 =A0you're still vulnerable. > > Now, I believe that in fact the situation is in fact as described in > option (1) -- none of the patches since p3 have touched the kernel > distributed through freebsd-update. =A0(2) and (4) can be discounted -- i= f > such egregious mistakes had been made, they would long ago have been > noticed and corrected. > > Here is the thing I alluded to under option (1). =A0The security patch fo= r > the unix domain socket problem came out in two chunks. =A0There was an > original patch to fix the actual security problem, then a later followup > patch to fix a bug that exposed in the linux emulation layer. =A0It is > possible to tell this from the text of the advisory as it exists at the > moment, but you might not see it unless you are looking for it. =A0The > important bit of text is this: > > =A0NOTE: The patch distributed at the time of the original advisory fixed > =A0the security vulnerability but exposed the pre-existing bug in the > =A0linux emulation subsystem. =A0Systems to which the original patch was > =A0applied should be patched with the following corrective patch, which > =A0contains only the additional changes required to fix the newly- > =A0exposed linux emulation bug: > > Given that the second part of the patch was actually not a security fix, > there would not have been a modified kernel distributed. =A0So you got a > bundle of three advisories issued together on 2011-09-28 resulting in > FreeBSD 8.2-RELEASE-p3. =A0Then later on, at 2011-10-04 a further update > was issued modifying FreeBSD-SA-11:05-unix and technically taking the > system to FreeBSD 8.2-RELEASE-p4. =A0However, as this was not a security > fix, it was not applied to the freebsd-update distribution channel. =A0As > none of the updates since then have touched the kernel, it will still > show -p3 even though you are in fact fully patched against all known > security problems. I hope this is the case, but that -p3 makes me think? I am hesistant to move to 9.0-RELEASE as of yet. There will apparently be an 8.3-RELEASE and I am not sure whether I have to rebuild all ports if I update to newer release. I have read some places that one does not have to rebuild all ports, and just install compat8.x/ special port. In FreeBSD Handbook, it still recommends to rebuild all ports. It took me a while to get going last time I moved from 8.1-RELEASE to 8.2-RELEASE, so I am hesistant to do it :( And not being sure about this, I am in the thinking process of what should I do. > > =A0 =A0 =A0 =A0Cheers, > > =A0 =A0 =A0 =A0Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 7 Pri= ory Courtyard > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey =A0 =A0 Ramsgate > JID: matthew@infracaninophile.co.uk =A0 =A0 =A0 =A0 =A0 =A0 =A0 Kent, CT1= 1 9PW > Thank you very much for your kind explanation and hopefully I am in the (4) category. How does one know when a new 8.2-RELEASE-pX, has been released? where X is a number >=3D 6? Regards, Antonio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ5UdcPAUjet58p5AJrj5VUyO-Vdhz1S4PkBNC0=4M2dMUe=hw>