Date: Mon, 14 Nov 2011 10:49:11 -0500 From: Tom Carpenter <tomc@bio.umass.edu> To: freebsd-questions@freebsd.org Subject: Re: 8.2-RELEASE-p4 Message-ID: <4EC13877.3070704@bio.umass.edu> In-Reply-To: <005301cca2b7$add11f20$09735d60$@co.ke> References: <005301cca2b7$add11f20$09735d60$@co.ke>
next in thread | previous in thread | raw e-mail | index | archive | help
Do you anticipate the release of an fix/update that will allow systems to be patched to -p4 or later via freebsd-update? -Tom Carpenter On 11/14/2011 05:25 AM, Evalyn wrote: > It touches the kernel but you need to do make builkernel/make installkernel > before uname -a shows "8.2-RELEASE-p4". > > Regards, > Evalyn > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Matthew Seaman > Sent: 12 November 2011 02:03 > To: Robert Simmons > Cc: freebsd-questions@freebsd.org > Subject: Re: 8.2-RELEASE-p4 > > On 11/11/2011 21:03, Robert Simmons wrote: >>> Note that if a security update is just to some userland programs, >>>> freebsd-update won't touch the OS kernel, so the reported version >>>> number doesn't change even though the update has been applied. In >>>> these sort of cases, it's not necessary to reboot, just to restart >>>> any long running processes (if any) affected by the update. The >>>> security advisory should have more detailed instructions about >>>> exactly what to do. (The -p2 to >>>> -p3 update was like this, but the -p3 to -p4 update definitely did >>>> affect the kernel so a reboot was necessary.) >> I'm not confident that you are correct here. See above. Either p3-p4 >> did not touch the kernel, or the OP has a legitimate question. > Interesting. I based what I said on the text of the security advisories: > > http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc > http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc > > Specifically the 'Corrected:' section near the top. I think it's clear that > FreeBSD-SA-11:04.compress (Corrected in 8.2-RELEASE-p3) doesn't involve > anything in the kernel but FreeBSD-SA-11:05.unix (Corrected in > 8.2-RELEASE-p4) is entirely within the kernel code. Except those advisories > aren't telling the whole story. > > Lets look at r226023 in SVN. That's the revision quoted in the 11.05 > advisory. The log for newvers.sh in > > http://svnweb.freebsd.org/base/releng/8.2/sys/conf/newvers.sh?view=log&pathr > ev=226023 > > says that the patches in RELEASE-p4 were not actually the security fix > -- rather they fixed a problem revealed by the actual security fix, which > was applied simultaneously with the patches in FreeBSD-SA-11:04.compress. > 11.05 was committed in two blobs spanning > -p3 and -p4. > > So, the good news is that if you have at least 8.2-RELEASE-p3 then you don't > have any (known) security holes. However if you don't have the patches in > 8.2-RELEASE-p4 then linux apps run under emulation will crash if they use > unix domain sockets. The flash plugin for FireFox being the most prominent > example as I recall. > > Now the updates for -p4 certainly should have touched the kernel, and > certainly should have resulted in an updated uname string[*]. There should > also be a note about -p4 in /usr/src/UPDATING. Starting to wonder if the > -p4 patches are actually available via freebsd-update(8) > -- could they have been omitted because it wasn't actually a security fix? > Odd that no one would have commented in a whole month if so. > > Cheers, > > Matthew > > > > [*] strings /boot/kernel/kernel | grep '8\.2-' should give the same > results as uname(1): if it's different then the running kernel is not the > same as the one on disk... > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4EC13877.3070704>