Date: Wed, 01 May 2013 10:59:23 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Melanie Schulte <m-freebsd@fuglos.org> Cc: freebsd-security@FreeBSD.org, Glen Barber <gjb@FreeBSD.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver Message-ID: <86ip33rs7o.fsf@nine.des.no> In-Reply-To: <alpine.BSF.2.00.1305010443140.76122@m.fuglos.org> (Melanie Schulte's message of "Wed, 1 May 2013 04:47:48 %2B0200 (CEST)") References: <201304292055.r3TKtcEs039958@freefall.freebsd.org> <201304292208.QAA16119@lariat.net> <20130430034603.GF1588@glenbarber.us> <201304300416.WAA20729@lariat.net> <20130430042415.GG1588@glenbarber.us> <CADLo839_J40E4O2s7Af3r1stH98B-fjKtBwmNovaPfY7peqi7Q@mail.gmail.com> <201304301936.NAA02519@lariat.net> <20130430211531.GA1621@glenbarber.us> <201304302241.QAA05359@lariat.net> <20130430224850.GA1579@glenbarber.us> <alpine.BSF.2.00.1305010443140.76122@m.fuglos.org>
index | next in thread | previous in thread | raw e-mail
Melanie Schulte <m-freebsd@fuglos.org> writes:
> Could you please elaborate on that? I have also built my own kernel on
> my servers and I must have missed the section in the handbook saying
> that running a custom kernel implies that freebsd-update should not be
> used.
>
> Given a security problem, I don't want to spend hours recompiling my
> base system whereas freebsd-update fixed the problem in seconds.
If you run a stock userland on a custom kernel, freebsd-update will
patch your userland but not your kernel.
If you must build your own kernel, my recommendation is to install it in
a different directory, e.g. /boot/MYKERNEL, instead of /boot/kernel.
That way, freebsd-update will keep the original GENERIC kernel (still in
/boot/kernel) up-to-date, and in a pinch, you can switch back.
The easiest way to do this is to append the following lines to
/etc/src.conf before building your kernel for the first time:
KERNCONF=MYKERNEL
KODIR=/boot/${KERNCONF}
You will also need to add this to /boot/loader.conf so the correct kenel
will be loaded at boot time:
kernel="MYKERNEL"
If you built your kernel from the source tree that came with the
release, freebsd-update will have updated the source tree, and all you
need to do is rebuild and reinstall the kernel. In most cases, you can
get away with "make buildkernel -DKERNFAST", which should only take a
few seconds. KERNFAST is safe when you've only changed the contents of
a source file, but not your kernel configuration or anything that
affects the dependency graph (especially anything under sys/conf).
If you checked out your source tree from svn, however, you should tell
freebsd-update to leave it alone (remove "src" from the "Components"
line in /etc/freebsd-update.conf), and update it yourself with "svn up".
You should also remove "src" from the "Components" line if you do not
have a source tree at all. Otherwise, freebsd-update may become
confused by updates that add a source file, like the OpenSSL update did.
Updates that modify a file aren't an issue, because freebsd-update will
ignore missing files.
DES
--
Dag-Erling Smørgrav - des@des.no
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ip33rs7o.fsf>