From owner-freebsd-questions@FreeBSD.ORG Fri Apr 7 21:34:08 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C7FC16A401 for ; Fri, 7 Apr 2006 21:34:08 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81C2E43D46 for ; Fri, 7 Apr 2006 21:34:07 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (aris.bedc.ondsl.gr [62.103.39.226]) (authenticated bits=128) by igloo.linux.gr (8.13.6/8.13.6/Debian-1) with ESMTP id k37LXdtj022169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 8 Apr 2006 00:33:44 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.6/8.13.6) with ESMTP id k37LYN1C096195; Sat, 8 Apr 2006 00:34:23 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.6/8.13.6/Submit) id k37LYNZl096194; Sat, 8 Apr 2006 00:34:23 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 8 Apr 2006 00:34:23 +0300 From: Giorgos Keramidas To: Jonathan Horne Message-ID: <20060407213423.GB96006@gothmog.pc> References: <43461.208.11.134.3.1144443260.squirrel@mail.dfwlp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43461.208.11.134.3.1144443260.squirrel@mail.dfwlp.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.377, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.82, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: a few questions and concepts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Apr 2006 21:34:08 -0000 On 2006-04-07 15:54, Jonathan Horne wrote: > im still pretty new to freebsd. ive been playing around with the cvsup > tools, and they are quite fascinating. > > i changed my production server from Fedora to FreeBSD 6.0, about 1 day > before the most recent sendmail exploit was published (well, published on > freebsd.org anyway). Murphy at work, again, eh? :) > i did download the patch and recompile it, but as some have also noted > on this list, that it still banners as 8.13.4 when you telnet to it. > > so, the past couple of days, i have learned to cvsup my /usr/src > directories. ive just been using the standard copy of the stable-supfile. > i have learned that if i perform the sendmail recompile after the cvsup, > that it sendmail seems to proclaim 8.13.6 in the banner. on top of that, > i have learned that if i recompile the kernel after cvsup, that it no > longer says FreeBSD 6.0-RELEASE, but FreeBSD 6.1-PRERELEASE. You are running RELENG_6 now, which is much more recent than RELENG_6_0_RELEASE. The first one is the top of the 6.X branch, which changes moderately slow, but it *does* change. The 6.0-RELEASE source tree is "frozen in time" at the point the tag was placed on the source tree. > my questions: > 1) after cvsup, i think i can assume that sendmail is now compiling from > sourcecode that should definatly be free from the current exploit. i > would also assume that anything that i would need to recompile from > /usr/src should also see the benefit of 'latest source code'? Yes, both true. > 2) on a production server, should i avoid recompiling a kernel that will > be FreeBSD 6.1-PRERELEASE? on the whole, how reliable is the bulk of > these newer sources that were pulled down by cvsup? In general, if you a bit paranoid, you should avoid running RELENG_6 on a production system. At least until you have thoroughly tested it on a "test system" and found everything working as expected. > i can definatly see the benefits of using cvsup to take care of > problem with some things (like sendmail), but allowing it to update > everything under the /usr/src tree, im wondering if i could be setting > myself up for issues (by not editing the stable-supfile and taking > only what i need). This is why each FreeBSD release is associated with at least: * A "frozen" tag, like RELENG_6_0_RELEASE * A security branch, like RELENG_6_0 * A stable branch, like RELENG_6 Changes go very fast in the CURRENT FreeBSD branch. After they settle in for a while, soem of them are backported to the RELENG_X branch. The RELENG_X branch changes much slower than the experimental, CURRENT branch, but it does change every time a new feature is backported to RELENG_X. Then, when security fixes are made available, they are added both to the RELENG_X branch and the RELENG_X_Y security branches. If all you want is the "frozen" release sources plus changes that are really really necessary, because they fix a serious security bug, you probably want RELENG_X_Y (RELENG_6_0 in this case). Regards, Giorgos