From owner-freebsd-security@FreeBSD.ORG Wed Dec 31 19:54:24 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E0B89189 for ; Wed, 31 Dec 2014 19:54:24 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CF5AA2CC3 for ; Wed, 31 Dec 2014 19:54:24 +0000 (UTC) Date: Wed, 31 Dec 2014 11:54:18 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp In-Reply-To: <8661cy9jim.fsf@nine.des.no> References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 19:54:25 -0000 Dag-Erling Sm?rgrav wrote: > Roger Marquis writes: >> ... or those with constrained resources are never going to be able >> to make/build/installworld for something as simple as a single binary >> update. > > These sites would be better served using freebsd-update to download and > apply binary patches. Was afraid you might say that, not because it's unreasonable or inevitable but because it illustrates the increasing tendency to refer bug (and other) reports to use binary updates. Problem with freebsd-update is that it has some of the same scope issues as installworld. We've also had problems defining "-r" (in a jail) when the booted kernel is not the revision we want to build to. Doesn't help that "-r" doesn't parse patch levels. freebsd-update also calls phttpget which has no man page. This is one Linux-ism (missing man pages) that FreeBSD is usually good at avoiding. > I would suggest discussing this with the FreeBSD Foundation. They have > already taken an interest in the matter. Thanks Dag, Roger From owner-freebsd-security@FreeBSD.ORG Fri Jan 2 17:46:41 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 345B7B95 for ; Fri, 2 Jan 2015 17:46:41 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E858666509 for ; Fri, 2 Jan 2015 17:46:40 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id E79619DBF; Fri, 2 Jan 2015 17:46:39 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 46C9C5B59; Fri, 2 Jan 2015 18:46:37 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Roger Marquis Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> Date: Fri, 02 Jan 2015 18:46:37 +0100 In-Reply-To: <20141231195427.AECE022B@hub.freebsd.org> (Roger Marquis's message of "Wed, 31 Dec 2014 11:54:18 -0800 (PST)") Message-ID: <86y4plgjnm.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2015 17:46:41 -0000 Roger Marquis writes: > Problem with freebsd-update is that it has some of the same scope issues > as installworld. We've also had problems defining "-r" (in a jail) when > the booted kernel is not the revision we want to build to. Doesn't help > that "-r" doesn't parse patch levels. I do it all the time: $ sudo env UNAME_r=3DX.Y-RELEASE freebsd-update fetch install Patch levels don't matter to freebsd-update, it will look at what's actually installed and not what the kernel says (which is not necessarily correct anyway, because some updates don't touch the kernel). It just needs to know the correct release. Not sure what you mean by scope issues. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Jan 2 17:59:57 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 35F7B20B for ; Fri, 2 Jan 2015 17:59:57 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E891B666EA for ; Fri, 2 Jan 2015 17:59:56 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 5B9F49DFA; Fri, 2 Jan 2015 17:59:52 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id B08485B65; Fri, 2 Jan 2015 18:59:49 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Roger Marquis Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> Date: Fri, 02 Jan 2015 18:59:49 +0100 In-Reply-To: <86y4plgjnm.fsf@nine.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8r?= =?utf-8?Q?grav=22's?= message of "Fri, 02 Jan 2015 18:46:37 +0100") Message-ID: <86tx09gj1m.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2015 17:59:57 -0000 Dag-Erling Sm=C3=B8rgrav writes: > $ sudo env UNAME_r=3DX.Y-RELEASE freebsd-update fetch install Actually, you want to do this from *outside* the jail, partly out of healthy paranoia and partly so freebsd-update will re-use previously downloaded indexes and patches: $ sudo env UNAME_r=3DX.Y-RELEASE freebsd-update -b /path/to/jail fetch inst= all Don't worry about conflicts - freebsd-update names its working directory after the sha256 sum of the destination directory, so you can fetch, merge, install and rollback updates for multiple jails as well as the host independently of eachother. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no