From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 20:03:59 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F1BDCF08 for ; Tue, 6 Jan 2015 20:03:59 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3E94567B6E for ; Tue, 6 Jan 2015 19:59:39 +0000 (UTC) Received: from secure.postconf.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 86C6F67836; Tue, 6 Jan 2015 11:59:32 -0800 (PST) In-Reply-To: <86y4plgjnm.fsf@nine.des.no> References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> Date: Tue, 6 Jan 2015 11:59:32 -0800 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp From: "Roger Marquis" To: =?iso-8859-1?Q?=22Dag-Erling_Sm=C3=B8rgrav=22?= Reply-To: marquis@roble.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2015 20:04:00 -0000 > DES wrote: > I do it all the time: > $ sudo env UNAME_r=X.Y-RELEASE freebsd-update fetch install Not sure if using a jail to test is relevant but this never updates (my) binaries to the specified RELEASE/RELENG, only to the current kernel's patch level. Then there's the issue of specifying -RELEASE to mean -RELENG. > Not sure what you mean by scope issues. That's referring back to the original question of buildworld/installworld vs "cd /usr/src/path/to/patched/binary;make install" (vs freebsd-update) and the granularity of respective updates. > Actually, you want to do this from *outside* the jail, partly out of > healthy paranoia and partly so freebsd-update will re-use previously > downloaded indexes and patches Updates to non-jailed environments are the preferred method to be sure but patching and testing base updates in a jail can be more convenient. Roger From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 22:08:12 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 062A735B for ; Tue, 6 Jan 2015 22:08:12 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 84775663E5 for ; Tue, 6 Jan 2015 22:08:11 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id BBF3050F9; Tue, 6 Jan 2015 22:07:58 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 639E8C824; Tue, 6 Jan 2015 23:07:58 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Roger Marquis" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> <20150106200824.C03045ED5@smtp.des.no> Date: Tue, 06 Jan 2015 23:07:58 +0100 In-Reply-To: <20150106200824.C03045ED5@smtp.des.no> (Roger Marquis's message of "Tue, 6 Jan 2015 11:59:32 -0800") Message-ID: <86pparef5t.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2015 22:08:12 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable "Roger Marquis" writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > I do it all the time: > > $ sudo env UNAME_r=3DX.Y-RELEASE freebsd-update fetch install > Not sure if using a jail to test is relevant but this never updates (my) > binaries to the specified RELEASE/RELENG, only to the current kernel's pa= tch > level. No, it updates everything. Like I said, I do this all the time, including with jails that run a different release than the host system. > Then there's the issue of specifying -RELEASE to mean -RELENG. There is no such thing as -RELENG. See sys/conf/newvers.sh. > > Actually, you want to do this from *outside* the jail, partly out of > > healthy paranoia and partly so freebsd-update will re-use previously > > downloaded indexes and patches > Updates to non-jailed environments are the preferred method to be sure but > patching and testing base updates in a jail can be more convenient. You missed my point. You can run freebsd-update outside the jail to update the contents of the jail. See the attached shell script. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=jail-upgrade.sh #!/bin/sh # # $Id$ # progname="$(basename $0)" # # Print an informational message. # info() { echo "$@" } # # Print an error message to stderr and exit. # error() { echo "$progname: $@" >&2 exit 1 } # # Ask a question and wait for an answer. Keep asking until the user # answers yes or no. # # Usage example: # # if yesno foo ; then echo yes ; else echo no ; fi # yesno() { while :; do echo -n "$@ (yes/no) " read answer case $answer in [Yy]|[Yy][Ee][Ss]) return 0 ;; [Nn]|[Nn][Oo]) return 1 ;; esac done } # # Print a usage string and exit. # usage() { echo "usage: $progname jailname [[from-release] to-release]" >&2 exit 1 } main() { case $# in 1) jailname="$1" ;; 2) jailname="$1" fromrel="$(uname -r)" torel="$2" ;; 3) jailname="$1" fromrel="$2" torel="$3" ;; *) usage ;; esac jailroot="/jail/$jailname" basehash="$(echo $jailroot | sha256 -q)" statedir="/var/db/freebsd-update/" install_link="$statedir/$basehash-install" conffile="$jailroot/etc/freebsd-update.conf" if [ -n "$torel" ] ; then fetch="upgrade" relarg="-r $torel" pre_uname="UNAME_r=$fromrel" post_uname="UNAME_r=$torel" else fetch="fetch" fi if [ -n "$torel" ] ; then if [ -n "${QUICK_UPGRADE+yes}" ] ; then echo "Upgrading $jailroot from $fromrel to $torel" else yesno "Upgrade $jailroot from $fromrel to $torel?" fi else if [ -n "${QUICK_UPGRADE+yes}" ] ; then echo "Upgrading $jailroot" else yesno "Update $jailroot?" fi fi || exit 0 if [ -n "${QUICK_UPGRADE+yes}" ] ; then export PAGER=cat fi set -e env $pre_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg $fetch [ -d "$install_link" ] || exit 1 env $pre_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg install if [ -n "${QUICK_UPGRADE+yes}" ] ; then echo "Quick upgrade, not restarting $jailname" elif yesno "Restart $jailname before proceeding?" ; then /etc/rc.d/jail restart $jailname fi [ -d "$install_link" ] || exit 0 env $post_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg install [ -d "$install_link" ] || exit 0 env $post_uname freebsd-update -b "$jailroot" -d "$statedir" -f "$conffile" $relarg install } main "$@" --=-=-=-- From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 17:36:45 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C2D1E56F for ; Wed, 7 Jan 2015 17:36:45 +0000 (UTC) Received: from mail-lb0-f169.google.com (mail-lb0-f169.google.com [209.85.217.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 388C6195B for ; Wed, 7 Jan 2015 17:36:44 +0000 (UTC) Received: by mail-lb0-f169.google.com with SMTP id p9so1473856lbv.14 for ; Wed, 07 Jan 2015 09:36:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=GK7nncQKJpwaUBDQDkYlG+l+J4l/K6Rm4r7JFzvm9ls=; b=RCKYqo5cN+RQrY1avHLOCq5UoguC2DwsRdnNJddglVRH7urs8URinj0LaK/t3GIAnf vyqNEuSbY8aO9uRlrxGxk9Dmyj+KUSpquziPyUHSN1Pf1PBG+tp9s9FyVgSqGKUb9Wl8 RcCMNeufY1hmJ/EyxcK8A9AOon9jYk2lgE+stmjv7PXg6TnNMQsEOOllrQnHuAzlJtPo +DXohLe2sWZyU9NOFIbbumqsgRNeYUtug2jilf13P19S69F4nfeFuTp+3GP1kSHAXXpD Z7ZeI1c7vnz3aml+mIzaD5XBv7s5pzEKmcnVDxe/gxcvcOW2KMhkLcmwcnzMOLaJgB/G F6pQ== X-Gm-Message-State: ALoCoQmXRs6i+sHpAzj2Rywcf8gNKMZqQcJ4IAJQlBIpwEuAKqxG1khFKZ2AxkZU5p/Sq12J688G X-Received: by 10.152.5.198 with SMTP id u6mr6765240lau.42.1420652196139; Wed, 07 Jan 2015 09:36:36 -0800 (PST) MIME-Version: 1.0 Received: by 10.112.141.201 with HTTP; Wed, 7 Jan 2015 09:35:55 -0800 (PST) X-Originating-IP: [68.178.93.3] In-Reply-To: <86tx09gj1m.fsf@nine.des.no> References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> <86tx09gj1m.fsf@nine.des.no> From: Leif Pedersen Date: Wed, 7 Jan 2015 11:35:55 -0600 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2015 17:36:45 -0000 On Fri, Jan 2, 2015 at 11:59 AM, Dag-Erling Sm=C3=B8rgrav wrot= e: > $ sudo env UNAME_r=3DX.Y-RELEASE freebsd-update -b /path/to/jail fetch > install I use freebsd-update enthusiastically, but I hadn't noticed the -b option before. I'm glad you mentioned it. I've always run freebsd-update inside of each jail, unnecessarily downloading everything repeatedly. It seems like -b doesn't work for upgrades though, unless I've missed something. Your example is for "fetch install", but naturally I extrapolated that it should work for "upgrade" also. Should one of the following work? My host has already been upgraded to 10.1 because it seems to me that upgrading the host first is required since a new kernel will support old userlands, but not necessarily the reverse (which I infer from the standard instructions to do installkernel before installworld). In this case, my jail is simply an independent directory; no nullfs magic or anything. # env UNAME_r=3D10.1-RELEASE freebsd-update -b /j/test upgrade freebsd-update: Release target must be specified via -r option. Or: # freebsd-update -b /j/test -r 10.1 upgrade freebsd-update: Cannot upgrade from 10.1-RELEASE to itself - Leif --=20 As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 18:50:30 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1326ADA2 for ; Wed, 7 Jan 2015 18:50:30 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C299C666DB for ; Wed, 7 Jan 2015 18:50:29 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id CC4B35185; Wed, 7 Jan 2015 18:50:22 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id E47F1CA68; Wed, 7 Jan 2015 19:50:22 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Leif Pedersen Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> <86tx09gj1m.fsf@nine.des.no> Date: Wed, 07 Jan 2015 19:50:22 +0100 In-Reply-To: (Leif Pedersen's message of "Wed, 7 Jan 2015 11:35:55 -0600") Message-ID: <86d26qe87l.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2015 18:50:30 -0000 Leif Pedersen writes: > It seems like -b doesn't work for upgrades though, Yes, it does. > # env UNAME_r=3D10.1-RELEASE freebsd-update -b /j/test upgrade > freebsd-update: Release target must be specified via -r option. This doesn't work because you didn't specify the target. > # freebsd-update -b /j/test -r 10.1 upgrade > freebsd-update: Cannot upgrade from 10.1-RELEASE to itself This doesn't work because you didn't specify the correct starting point. You have to set UNAME_r to what the jail is currently running. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 19:17:49 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 47635CDE for ; Wed, 7 Jan 2015 19:17:49 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1D7D866C30 for ; Wed, 7 Jan 2015 19:17:48 +0000 (UTC) Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net [71.59.211.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by luigi.brtsvcs.net (Postfix) with ESMTPSA id EBEC52D4FF4; Wed, 7 Jan 2015 19:17:40 +0000 (UTC) Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 0E323C7A; Wed, 7 Jan 2015 11:17:39 -0800 (PST) Message-ID: <54AD864C.8070302@bluerosetech.com> Date: Wed, 07 Jan 2015 11:17:32 -0800 From: Darren Pilgrim Reply-To: "freebsd-security@freebsd.org" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= , Leif Pedersen Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> <86tx09gj1m.fsf@nine.des.no> <86d26qe87l.fsf@nine.des.no> In-Reply-To: <86d26qe87l.fsf@nine.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2015 19:17:49 -0000 On 1/7/2015 10:50 AM, Dag-Erling Smørgrav wrote: > Leif Pedersen writes: >> It seems like -b doesn't work for upgrades though, > > Yes, it does. > >> # env UNAME_r=10.1-RELEASE freebsd-update -b /j/test upgrade >> freebsd-update: Release target must be specified via -r option. > > This doesn't work because you didn't specify the target. > >> # freebsd-update -b /j/test -r 10.1 upgrade >> freebsd-update: Cannot upgrade from 10.1-RELEASE to itself > > This doesn't work because you didn't specify the correct starting point. > You have to set UNAME_r to what the jail is currently running. Is that to say `env UNAME_r=A.B-RELEASE freebsd-update -b /jail/path -r C.D-RELEASE upgrade` is the correct command? From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 19:24:04 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 87CAF475 for ; Wed, 7 Jan 2015 19:24:04 +0000 (UTC) Received: from mail-la0-f51.google.com (mail-la0-f51.google.com [209.85.215.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 094A366E8E for ; Wed, 7 Jan 2015 19:24:03 +0000 (UTC) Received: by mail-la0-f51.google.com with SMTP id ms9so5366159lab.10 for ; Wed, 07 Jan 2015 11:23:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rgv54R3U/ge7kb5fURJCYrdcbrG2kvHd6RHJSRCC2hw=; b=RZSsRscKOqUS2qdICuKMi5MiN1snOhgBiWGsMZsG5LpUCW8EdrgGSCkpanVK1GuqbR 7VNZ9Cuse5MbVw7jXrHZOKVWe0sBx8SXzB/yO/FhvhzTP3DWZfCHpAq6Bv2JYbNEDsLN JL5YxodXgeRq0GulWf7u+e9jFB7Qz4zCm03Zy1/8h/ku0aSkUeVIH4EqcWht4FHLiB1W XOAzaYnm5AAfmq08hREAp9vP+XkLlXsQHdVB/uoW3X52bhKEvq149nD5fuihEL39Czky YVg6sKLgkEIBbHBhnSB8YP+XDGCSMFimBwHLTo0zswSxnPT+vgKM+X4E7qyFRl5Q21+N LMDw== X-Gm-Message-State: ALoCoQk/bY70gLYEZYvQPzrfR248TEjs1IO0JTxJzDwXoUMnXi+HWvSJNVMbu2JROMlDOSVuqvJ4 X-Received: by 10.112.64.35 with SMTP id l3mr7427358lbs.82.1420658635065; Wed, 07 Jan 2015 11:23:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.112.141.201 with HTTP; Wed, 7 Jan 2015 11:23:14 -0800 (PST) X-Originating-IP: [68.178.93.3] In-Reply-To: <86d26qe87l.fsf@nine.des.no> References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> <86tx09gj1m.fsf@nine.des.no> <86d26qe87l.fsf@nine.des.no> From: Leif Pedersen Date: Wed, 7 Jan 2015 13:23:14 -0600 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2015 19:24:04 -0000 On Wed, Jan 7, 2015 at 12:50 PM, Dag-Erling Sm=C3=B8rgrav wrot= e: > Leif Pedersen writes: > > # env UNAME_r=3D10.1-RELEASE freebsd-update -b /j/test upgrade > > freebsd-update: Release target must be specified via -r option. > > This doesn't work because you didn't specify the target. > > > # freebsd-update -b /j/test -r 10.1 upgrade > > freebsd-update: Cannot upgrade from 10.1-RELEASE to itself > > This doesn't work because you didn't specify the correct starting point. > You have to set UNAME_r to what the jail is currently running. Oh very good, thank you. (I misunderstood what UNAME_r means; now I see the correlation to "uname -r".) For any onlookers, the following worked for me: env UNAME_r=3D10.0-RELEASE freebsd-update -b /j/test -r 10.1 upgrade # work through merging etc env UNAME_r=3D10.0-RELEASE freebsd-update -b /j/test -r 10.1 install # ignore the message to reboot and repeat the last until you see "done". - Leif --=20 As implied by email protocols, the information in this message is not confidential. Any middle-man or recipient may inspect, modify, copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. As the sender, I acknowledge that I have a lower expectation of the control and privacy of this message than I would a post-card. Further, nothing in this message is legally binding without cryptographic evidence of its integrity. http://bilbo.hobbiton.org/wiki/Eat_My_Sig From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 11:50:31 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AAEA1AD2 for ; Thu, 8 Jan 2015 11:50:31 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 69035335 for ; Thu, 8 Jan 2015 11:50:31 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 970C0505B; Thu, 8 Jan 2015 11:50:19 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 184DBCC25; Thu, 8 Jan 2015 12:50:20 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Darren Pilgrim Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> <8661cy9jim.fsf@nine.des.no> <20141231195427.AECE022B@hub.freebsd.org> <86y4plgjnm.fsf@nine.des.no> <86tx09gj1m.fsf@nine.des.no> <86d26qe87l.fsf@nine.des.no> <54AD864C.8070302@bluerosetech.com> Date: Thu, 08 Jan 2015 12:50:19 +0100 In-Reply-To: <54AD864C.8070302@bluerosetech.com> (Darren Pilgrim's message of "Wed, 07 Jan 2015 11:17:32 -0800") Message-ID: <86vbkh7apw.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-security@freebsd.org" , Leif Pedersen X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2015 11:50:31 -0000 Darren Pilgrim writes: > Is that to say > > `env UNAME_r=3DA.B-RELEASE freebsd-update -b /jail/path -r C.D-RELEASE up= grade` > > is the correct command? Precisely. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 20:07:40 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AA4C3670 for ; Thu, 8 Jan 2015 20:07:40 +0000 (UTC) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A661113 for ; Thu, 8 Jan 2015 20:07:40 +0000 (UTC) Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id 06B9C40A78 for ; Thu, 8 Jan 2015 20:00:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1420747237; bh=H8aN/RbE+43f7IDAZ/ko0g2QJEsmE/8wMs7XVoMjmFg=; h=Date:From:To:Subject:From; b=MlstdpVMxKwZZNQU+mId1VEjRIy7hOgyXAx1G2b4PqN1sw8+L0GFU8GfMfx/vUo+Y qIE/TTeEaBbQy00OSp4Aa2xDbxM8eqNHUFxC27mO7XVBPmedpm4uXeEWey28X8i9GO 8tU5dOgaO/1fRcLE3rky8EzYvLziud84673SCPpk= Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: pkubaj) with ESMTPSA id 8C75542BF9 Message-ID: <54AEE1E1.6040509@riseup.net> Date: Thu, 08 Jan 2015 21:00:33 +0100 From: Piotr Kubaj User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: New vulnerabilities in file(1) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.98.5 at mx1 X-Virus-Status: Clean X-Mailman-Approved-At: Thu, 08 Jan 2015 20:42:42 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2015 20:07:40 -0000 See http://mx.gw.com/pipermail/file/2014/001653.html and http://mx.gw.com/pipermail/file/2014/001654.html for reports. They're fixed in https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4 and https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 23:29:22 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C052AEEC for ; Thu, 8 Jan 2015 23:29:22 +0000 (UTC) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) by mx1.freebsd.org (Postfix) with ESMTP id 9C899B22 for ; Thu, 8 Jan 2015 23:29:22 +0000 (UTC) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id EEE315A9F0E; Thu, 8 Jan 2015 23:29:15 +0000 (UTC) Date: Thu, 8 Jan 2015 23:29:15 +0000 From: Brooks Davis To: Piotr Kubaj Subject: Re: New vulnerabilities in file(1) Message-ID: <20150108232913.GG79834@spindle.one-eyed-alien.net> References: <54AEE1E1.6040509@riseup.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="da4uJneut+ArUgXk" Content-Disposition: inline In-Reply-To: <54AEE1E1.6040509@riseup.net> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2015 23:29:22 -0000 --da4uJneut+ArUgXk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jan 08, 2015 at 09:00:33PM +0100, Piotr Kubaj wrote: > See http://mx.gw.com/pipermail/file/2014/001653.html and > http://mx.gw.com/pipermail/file/2014/001654.html for reports. > They're fixed in > https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4 > and > https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c It looks like these are both addressed in file 5.22 which is in HEAD and is scheduled to be MFC'd in another week. -- Brooks --da4uJneut+ArUgXk Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlSvEsgACgkQXY6L6fI4GtTeKACfdKQLsqNiOEAIb49HJh2V+Fu6 +mAAoOW1i78tZpF/75pRE8JFiSoD7kLI =dt7n -----END PGP SIGNATURE----- --da4uJneut+ArUgXk--