From owner-freebsd-questions@FreeBSD.ORG Fri Nov 11 23:03:42 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 960D7106564A for ; Fri, 11 Nov 2011 23:03:42 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id F2F528FC15 for ; Fri, 11 Nov 2011 23:03:41 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id pABN3cMX013287 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 11 Nov 2011 23:03:38 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.4.1 smtp.infracaninophile.co.uk pABN3cMX013287 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1321052618; bh=hWDaxKQ1h12yja7Q0gAcr+nL8MGJlNhPOYK3qY3g6pA=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type; b=tdoXZ+GXKaYXrq0QJSS+9LSIaQQP5EcGAraICTU2RJq515KEvx7+KGnKxmKPXEjQ5 jXjhocENWxFYMCDjjWlcv4tTmkdUURs/eHmok4RCR+ZznXXMzU/bkvPAHcjUdBjTvZ IlPct6o7q+QEdlputqyVroc3UsmtAPi92uOtpkMk= Message-ID: <4EBDA9C0.8010309@infracaninophile.co.uk> Date: Fri, 11 Nov 2011 23:03:28 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Robert Simmons References: <4EBD2CD8.2040209@charter.net> <4EBD4EA8.3000109@infracaninophile.co.uk> In-Reply-To: X-Enigmail-Version: 1.3.3 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig16A2FF3B77B5B7F1F67CE462" X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: 8.2-RELEASE-p4 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2011 23:03:42 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig16A2FF3B77B5B7F1F67CE462 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 11/11/2011 21:03, Robert Simmons wrote: >> Note that if a security update is just to some userland programs, >> > freebsd-update won't touch the OS kernel, so the reported version nu= mber >> > doesn't change even though the update has been applied. In these so= rt >> > of cases, it's not necessary to reboot, just to restart any long run= ning >> > processes (if any) affected by the update. The security advisory sh= ould >> > have more detailed instructions about exactly what to do. (The -p2 = to >> > -p3 update was like this, but the -p3 to -p4 update definitely did >> > affect the kernel so a reboot was necessary.) > I'm not confident that you are correct here. See above. Either p3-p4 > did not touch the kernel, or the OP has a legitimate question. Interesting. I based what I said on the text of the security advisories:= http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc Specifically the 'Corrected:' section near the top. I think it's clear that FreeBSD-SA-11:04.compress (Corrected in 8.2-RELEASE-p3) doesn't involve anything in the kernel but FreeBSD-SA-11:05.unix (Corrected in 8.2-RELEASE-p4) is entirely within the kernel code. Except those advisories aren't telling the whole story. Lets look at r226023 in SVN. That's the revision quoted in the 11.05 advisory. The log for newvers.sh in http://svnweb.freebsd.org/base/releng/8.2/sys/conf/newvers.sh?view=3Dlog&= pathrev=3D226023 says that the patches in RELEASE-p4 were not actually the security fix -- rather they fixed a problem revealed by the actual security fix, which was applied simultaneously with the patches in FreeBSD-SA-11:04.compress. 11.05 was committed in two blobs spanning -p3 and -p4. So, the good news is that if you have at least 8.2-RELEASE-p3 then you don't have any (known) security holes. However if you don't have the patches in 8.2-RELEASE-p4 then linux apps run under emulation will crash if they use unix domain sockets. The flash plugin for FireFox being the most prominent example as I recall. Now the updates for -p4 certainly should have touched the kernel, and certainly should have resulted in an updated uname string[*]. There should also be a note about -p4 in /usr/src/UPDATING. Starting to wonder if the -p4 patches are actually available via freebsd-update(8) -- could they have been omitted because it wasn't actually a security fix? Odd that no one would have commented in a whole month if so. Cheers, Matthew [*] strings /boot/kernel/kernel | grep '8\.2-' should give the same results as uname(1): if it's different then the running kernel is not the same as the one on disk... --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig16A2FF3B77B5B7F1F67CE462 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk69qckACgkQ8Mjk52CukIwBJQCfZE0S2fMULVvSJe4nFwFly0aH OTEAnjj1w3YMpa6/VgNcBTIfbI5lsBU/ =E2RZ -----END PGP SIGNATURE----- --------------enig16A2FF3B77B5B7F1F67CE462--