Date: Sat, 8 Apr 2006 00:34:23 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Jonathan Horne <freebsd@dfwlp.com> Cc: freebsd-questions@freebsd.org Subject: Re: a few questions and concepts Message-ID: <20060407213423.GB96006@gothmog.pc> In-Reply-To: <43461.208.11.134.3.1144443260.squirrel@mail.dfwlp.com> References: <43461.208.11.134.3.1144443260.squirrel@mail.dfwlp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-04-07 15:54, Jonathan Horne <freebsd@dfwlp.com> wrote:
> im still pretty new to freebsd. ive been playing around with the cvsup
> tools, and they are quite fascinating.
>
> i changed my production server from Fedora to FreeBSD 6.0, about 1 day
> before the most recent sendmail exploit was published (well, published on
> freebsd.org anyway).
Murphy at work, again, eh? :)
> i did download the patch and recompile it, but as some have also noted
> on this list, that it still banners as 8.13.4 when you telnet to it.
>
> so, the past couple of days, i have learned to cvsup my /usr/src
> directories. ive just been using the standard copy of the stable-supfile.
> i have learned that if i perform the sendmail recompile after the cvsup,
> that it sendmail seems to proclaim 8.13.6 in the banner. on top of that,
> i have learned that if i recompile the kernel after cvsup, that it no
> longer says FreeBSD 6.0-RELEASE, but FreeBSD 6.1-PRERELEASE.
You are running RELENG_6 now, which is much more recent than
RELENG_6_0_RELEASE.
The first one is the top of the 6.X branch, which changes moderately
slow, but it *does* change. The 6.0-RELEASE source tree is "frozen in
time" at the point the tag was placed on the source tree.
> my questions:
> 1) after cvsup, i think i can assume that sendmail is now compiling from
> sourcecode that should definatly be free from the current exploit. i
> would also assume that anything that i would need to recompile from
> /usr/src should also see the benefit of 'latest source code'?
Yes, both true.
> 2) on a production server, should i avoid recompiling a kernel that will
> be FreeBSD 6.1-PRERELEASE? on the whole, how reliable is the bulk of
> these newer sources that were pulled down by cvsup?
In general, if you a bit paranoid, you should avoid running RELENG_6 on
a production system. At least until you have thoroughly tested it on a
"test system" and found everything working as expected.
> i can definatly see the benefits of using cvsup to take care of
> problem with some things (like sendmail), but allowing it to update
> everything under the /usr/src tree, im wondering if i could be setting
> myself up for issues (by not editing the stable-supfile and taking
> only what i need).
This is why each FreeBSD release is associated with at least:
* A "frozen" tag, like RELENG_6_0_RELEASE
* A security branch, like RELENG_6_0
* A stable branch, like RELENG_6
Changes go very fast in the CURRENT FreeBSD branch. After they settle
in for a while, soem of them are backported to the RELENG_X branch. The
RELENG_X branch changes much slower than the experimental, CURRENT
branch, but it does change every time a new feature is backported to
RELENG_X.
Then, when security fixes are made available, they are added both to the
RELENG_X branch and the RELENG_X_Y security branches.
If all you want is the "frozen" release sources plus changes that are
really really necessary, because they fix a serious security bug, you
probably want RELENG_X_Y (RELENG_6_0 in this case).
Regards,
Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060407213423.GB96006>