From owner-freebsd-security@FreeBSD.ORG Wed May 1 08:59:50 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3D2AAD7; Wed, 1 May 2013 08:59:50 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 000281291; Wed, 1 May 2013 08:59:49 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 334C1D9EC; Wed, 1 May 2013 08:59:48 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 7732B35720; Wed, 1 May 2013 10:59:24 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Melanie Schulte Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver References: <201304292055.r3TKtcEs039958@freefall.freebsd.org> <201304292208.QAA16119@lariat.net> <20130430034603.GF1588@glenbarber.us> <201304300416.WAA20729@lariat.net> <20130430042415.GG1588@glenbarber.us> <201304301936.NAA02519@lariat.net> <20130430211531.GA1621@glenbarber.us> <201304302241.QAA05359@lariat.net> <20130430224850.GA1579@glenbarber.us> Date: Wed, 01 May 2013 10:59:23 +0200 In-Reply-To: (Melanie Schulte's message of "Wed, 1 May 2013 04:47:48 +0200 (CEST)") Message-ID: <86ip33rs7o.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, Glen Barber X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2013 08:59:50 -0000 Melanie Schulte writes: > Could you please elaborate on that? I have also built my own kernel on > my servers and I must have missed the section in the handbook saying > that running a custom kernel implies that freebsd-update should not be > used. > > Given a security problem, I don't want to spend hours recompiling my > base system whereas freebsd-update fixed the problem in seconds. If you run a stock userland on a custom kernel, freebsd-update will patch your userland but not your kernel. If you must build your own kernel, my recommendation is to install it in a different directory, e.g. /boot/MYKERNEL, instead of /boot/kernel. That way, freebsd-update will keep the original GENERIC kernel (still in /boot/kernel) up-to-date, and in a pinch, you can switch back. The easiest way to do this is to append the following lines to /etc/src.conf before building your kernel for the first time: KERNCONF=3DMYKERNEL KODIR=3D/boot/${KERNCONF} You will also need to add this to /boot/loader.conf so the correct kenel will be loaded at boot time: kernel=3D"MYKERNEL" If you built your kernel from the source tree that came with the release, freebsd-update will have updated the source tree, and all you need to do is rebuild and reinstall the kernel. In most cases, you can get away with "make buildkernel -DKERNFAST", which should only take a few seconds. KERNFAST is safe when you've only changed the contents of a source file, but not your kernel configuration or anything that affects the dependency graph (especially anything under sys/conf). If you checked out your source tree from svn, however, you should tell freebsd-update to leave it alone (remove "src" from the "Components" line in /etc/freebsd-update.conf), and update it yourself with "svn up". You should also remove "src" from the "Components" line if you do not have a source tree at all. Otherwise, freebsd-update may become confused by updates that add a source file, like the OpenSSL update did. Updates that modify a file aren't an issue, because freebsd-update will ignore missing files. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no