From owner-freebsd-questions@FreeBSD.ORG Sun Feb 19 10:23:10 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6640E106564A for ; Sun, 19 Feb 2012 10:23:10 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id D21CD8FC12 for ; Sun, 19 Feb 2012 10:23:09 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q1JAN4G9077827 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 19 Feb 2012 10:23:05 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.4.3 smtp.infracaninophile.co.uk q1JAN4G9077827 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1329646985; bh=rpszTnhMQe/kq4T5clqIfgtTh68zcltNPOO4AL2lrdw=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc; b=Ah5bU8dmwig4t5H2MLWsK2UKq3icHMnkvGKY1LjMQQLW7F2E3ZcLfGx8EBiT6c2cf VrWE/QTHYp2JdZ5QTf5O1ErpbflhVJyTGFWWNYGg3wwrBejeHSTrcJZwmveMDD53RQ NPkM3QcP8ha0eAeOPDVqYxttzdsTOSJi5htTRv7o= Message-ID: <4F40CD81.1000708@infracaninophile.co.uk> Date: Sun, 19 Feb 2012 10:22:57 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201202190204.q1J24gJx080884@mail.r-bonomi.com> In-Reply-To: X-Enigmail-Version: 1.3.5 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig28B02A17AC54AFF48A34EA84" X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 10:23:10 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig28B02A17AC54AFF48A34EA84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 19/02/2012 02:06, Antonio Olivares wrote: > On Sat, Feb 18, 2012 at 8:04 PM, Robert Bonomi wrote: >> >> Antonio, >> The 'upgrade' from _P5_ to P6 did not touch the kernel, hence the ker= nel ID >> did not change. >> >> Going from P3 you should have seen a kernel update. >> >> what do you see if you do "strings /boot/kernel/kernel |grep 8" >=20 > It is a big file so I'll paste it to pastebin temporarily: >=20 > http://pastebin.com/K1PsTa0P Heh. The interesting bit is on line 4301 -- the last line of that output. A slightly more selective grep term would have been a good idea.= Anyhow, that shows the kernel on your system is 8.2-RELEASE-p3. Which implies that something ain't right somewhere. Four possibilities, roughly in order of severity: 1) None of the security patches between p3 and p6 did actually touch the kernel. You can tell if this was the case by looking at the list of modified files in the security advisory. The kernel is affected if any files under sys have been modified other than src/sys/conf/newvers.sh The last advisory that did touch the kernel was http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc which should have given you 8.2-RELEASE-p4. However -- see below. 2) An oversight in the freebsd-update process upstream meaning that the operational patches were applied, but not the changes to the kernel version number when the replacement kernel was compiled. Unlikely, as newvers.sh is always updated on each of the security branches even if the update doesn't touch the kernel. 3) You've told freebsd-update not to touch your kernel. Unlikely, and not in the default config, but useful where people need to use a custom kernel and maintain the rest of the system with freebsd-update. In this case, you'ld have modified /etc/freebsd-update.conf to change: Components src world kernel to read: Components src world Also you should be expecting to have to rebuild your kernel from sources, so I doubt this is the case. 4) The kernel wasn't patched properly and hasn't been updated and you're still vulnerable. Now, I believe that in fact the situation is in fact as described in option (1) -- none of the patches since p3 have touched the kernel distributed through freebsd-update. (2) and (4) can be discounted -- if such egregious mistakes had been made, they would long ago have been noticed and corrected. Here is the thing I alluded to under option (1). The security patch for the unix domain socket problem came out in two chunks. There was an original patch to fix the actual security problem, then a later followup patch to fix a bug that exposed in the linux emulation layer. It is possible to tell this from the text of the advisory as it exists at the moment, but you might not see it unless you are looking for it. The important bit of text is this: NOTE: The patch distributed at the time of the original advisory fixed the security vulnerability but exposed the pre-existing bug in the linux emulation subsystem. Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the additional changes required to fix the newly- exposed linux emulation bug: Given that the second part of the patch was actually not a security fix, there would not have been a modified kernel distributed. So you got a bundle of three advisories issued together on 2011-09-28 resulting in FreeBSD 8.2-RELEASE-p3. Then later on, at 2011-10-04 a further update was issued modifying FreeBSD-SA-11:05-unix and technically taking the system to FreeBSD 8.2-RELEASE-p4. However, as this was not a security fix, it was not applied to the freebsd-update distribution channel. As none of the updates since then have touched the kernel, it will still show -p3 even though you are in fact fully patched against all known security problems. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig28B02A17AC54AFF48A34EA84 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9AzYgACgkQ8Mjk52CukIzHkwCeKvZ4L554QQufOFFk3xgRXj4m WpgAn2D4Gyl/7Ca3c6tmCm8lHpP2Xzdu =vBWp -----END PGP SIGNATURE----- --------------enig28B02A17AC54AFF48A34EA84--