From owner-freebsd-security@FreeBSD.ORG Thu Sep 25 12:53:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C93216A4B3 for ; Thu, 25 Sep 2003 12:53:58 -0700 (PDT) Received: from amsfep11-int.chello.nl (amsfep11-int.chello.nl [213.46.243.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id E324543FF7 for ; Thu, 25 Sep 2003 12:53:56 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep11-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030925195354.BTBE4585.amsfep11-int.chello.nl@sitetronics.com>; Thu, 25 Sep 2003 21:53:54 +0200 Message-ID: <3F734780.7060506@sitetronics.com> Date: Thu, 25 Sep 2003 21:52:32 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> In-Reply-To: <30098393.1064516508386.JavaMail.root@huey.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Patch question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2003 19:53:58 -0000 V. Jones wrote: >I administer a remote server and want to apply some of the security patches. (I assume this is the best way to go since I can't go into single-user mode to use CVsup). > > First: you can update your system without booting into single-user mode. I hope I don't get chewed out for suggesting this, but if there's nobody physically *at* your server to do the update for you, you're going to have to do it yourself (see below). >I have a couple of questions. First, I have installed one of the pgp ports to verify the patches. When I run it, I get this message: > > > >>File 'buffer46.patch.asc' has signature, but with no text. >>Text is assumed to be in file 'buffer46.patch'. >>signature not checked. >> Signature made 2003/09/17 18:02 GMT >> key does not meet validity threshold. >> >> > > > >>WARNING: Because this public key is not certified with a trusted >>signature, it is not known with high confidence that this public key >>actually belongs to: "(KeyID: 0xCA6CDFB2)". >> >> > >I guess that I need to do some additional set up to get pgp to validate this file. Can anyone tell me where to find a howto on this subject or tell me what to do? > > Sure. IIRC, this just means that you've not marked the person's (KeyID: 0xCA6CDFB2) signature as trusted. You'll need to connect to a keyserver and download the information about the person with KeyID: 0xCA6CDFB2. If you trust that you've the right data, you can mark said person as trusted. >Second, Do I have apply each patch, then run make after each patch, or can I apply all the patches and just run make once? > >Any other advice or suggestions on updating a remote system would be appreciated. > > You can apply all the patches and run make one time. If you're not interested in rebuilding the entire userland (and you're not installing newer versions of userland utilities that rely on an updated kernel), you can just run cvsup, download the source, and run make from within the desired directories. The handbook recommends that one drop into single user mode to build the world. While this is certainly best practice, it is by no means absolutely necessary. I administer several servers in up to nine time zones away from me and, whenever there's a security advisory, I either a) rebuild the entire userland and kernel if I've found enough things I need to change/tune at kernel level, or b) rebuild and install the affected patches (which may actually cause option a -- rebuilding the world -- to be a necessity). Again, building the world under single-user mode is a highly suggested best practice. It is by no means absolutely necessary and I've been doing it for a good while with no problems (never had a problem with it). I'd be glad to help you out with it privately, if you so wish. --Devon