From owner-freebsd-security@FreeBSD.ORG Wed May 1 03:14:08 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 53F39675 for ; Wed, 1 May 2013 03:14:08 +0000 (UTC) (envelope-from bounces+73574-f30d-freebsd-security=freebsd.org@sendgrid.me) Received: from o3.shared.sendgrid.net (o3.shared.sendgrid.net [208.117.48.85]) by mx1.freebsd.org (Postfix) with SMTP id E22E71596 for ; Wed, 1 May 2013 03:14:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=from :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpapi; bh=OxAp/NrIHfN9kyWPtYR1SU HulH4=; b=HJCa+Ta0qB+02GqLo3IxvIRvLiVLCRyTt+nGczHKPdk9YCIsg6wHOk CH6gWFELr6UqIpu8X1kNewhKbZMEVwaZLcxP+9la8L8LXgEQSCBIrfo2EgRMsQp0 9kArn196iHNcVF4Z+ZVzaSZusEqS9dKgCRSNhXTlUGAgiGw5lx+bI= Received: by 10.4.35.242 with SMTP id mf70.23618.5180887E6 Wed, 01 May 2013 03:14:06 +0000 (UTC) Received: from mail.tarsnap.com (unknown [10.60.208.13]) by mi22 (SG) with ESMTP id 5180887e.698.15f2134 for ; Tue, 30 Apr 2013 22:14:06 -0500 (CST) Received: (qmail 24492 invoked from network); 1 May 2013 03:14:05 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by ec2-107-20-205-189.compute-1.amazonaws.com with ESMTP; 1 May 2013 03:14:05 -0000 Received: (qmail 13778 invoked from network); 1 May 2013 03:13:09 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 1 May 2013 03:13:09 -0000 Message-ID: <51808845.9040804@freebsd.org> Date: Tue, 30 Apr 2013 20:13:09 -0700 From: Colin Percival User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130406 Thunderbird/17.0.5 MIME-Version: 1.0 To: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver References: <201304292208.QAA16119@lariat.net> <20130430034603.GF1588@glenbarber.us> <201304300416.WAA20729@lariat.net> <20130430042415.GG1588@glenbarber.us> <201304301936.NAA02519@lariat.net> <20130430211531.GA1621@glenbarber.us> <201304302241.QAA05359@lariat.net> <20130430224850.GA1579@glenbarber.us> <201305010149.TAA07809@lariat.net> <20130501022228.GD1579@glenbarber.us> <201305010243.UAA08356@lariat.net> In-Reply-To: <201305010243.UAA08356@lariat.net> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SG-EID: 5qVSvszVOIE6PbdhSmXigMotnDv2KVF2pFB0fKg9JzpPJtIk/1JjUQ0yoXl0YfxWmKq6vZ7b/gJVDCZc1TZ+O2bfgn214htDbHxcjQgk8JzGuzemketuR1T2FkaGlH2JG1+YKTeuMNsbtTxCYY7ELw== Cc: Glen Barber , Chris Rees , freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2013 03:14:08 -0000 On 04/30/13 19:43, Brett Glass wrote: > When you use freebsd-update(8) in the usual manner, it fetches all of the > source and binary updates necessary to bring the system up to the latest > security patch level. When a userland binary is updated, it overwrites the > source and binary. But when the kernel is updated, it moves /boot/kernel to > /boot/kernel.old and then drops a GENERIC kernel into /boot/kernel. If > there were no loadable modules in /boot/kernel at the start of the update, > none are placed in /boot/kernel afterward. This is problematic, because > the custom kernel that previously resided in /boot/kernel might have had some > necessary modules built in... and they will not be available, either as > compiled-in modules or as loadable modules, at the next reboot. > > To leave the system in a precarious state, where a power glitch could > leave it unable to reboot, does not seem to me like a good idea. If > /boot/GENERIC exists (which means that the administrator has built a custom > kernel and saved the GENERIC kernel there), best to update /boot/GENERIC and > leave the custom kernel in place, to be rebuilt if needed. If you don't want freebsd-update to update your kernel, remove 'kernel' from the 'Components' line in /etc/freebsd-update.conf. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid