Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 31 Oct 2005 04:43:00 +0300
From:      "Andrew P." <infofarmer@gmail.com>
To:        "Grigory O. Ptashko" <trancer@bk.ru>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Buildworld and Security advisories.
Message-ID:  <cb5206420510301743i647969a3j9d77bdf609186a3c@mail.gmail.com>
In-Reply-To: <1087232230.20051031003352@bk.ru>
References:  <1087232230.20051031003352@bk.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/31/05, Grigory O. Ptashko <trancer@bk.ru> wrote:
> Hello, list.
>
> I am new to FreeBSD source upgrading/patching source tree system.
> After reading the following chapters from the handbook:
>
> 14.14 FreeBSD Security Advisories
> 20 The Cutting Edge (about rebuilding "world")
>
> I have some questions.
>
> 1) If I install a FreeBSD RELEASE on a machine what do I have to do to
> patch all those bugs listed in FreeBSD Security Advisories?
> Is it enough to synchronize my source tree with the STABLE branch or
> do I have to get all patches and apply them manualy?
> And if I must patch the source tree manualy do I have to do this after
> synchronizing the source tree with STABLE or before? Or it doesn't
> matter?
>
> In two words what are the relations between patching the bugs listed in
> Advisories and the process of synchronizing the source tree of the
> RELEASE with the STABLE?
>
> 2) How often should I synchronize sources with the STABLE?
>
> Currently I am working with 4.11 RELEASE.
>
>
> Thanks!
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>

To get all security fixes for your OS, you should do
_one_ of the following:

* patch manually and recompile - as stated in the SA
* syncronize to the security branch, i.e. RELENG_4_11
or RELENG_5_4, and rebuild world/kernel
* syncronize to the stable branch, i.e. RELENG_4,
RELENG_5 or RELENG_6, and rebuild world/kernel
* perform a binary upgrade

You can use either way each time a SA is published,
no matter what way you have used last time. For example
you can perform a binary upgrade from RELEASE to
5.4-p1, then patch manually and recompile to 5.4-p2
then sync to stable, then sync to security branch and
so on. Sometimes binary and manual upgrades leave
uname output "old", but they always fix a security hole.

Often, users manually patch systems where a reboot
is very undesirable, sync to security branch on all
mission-critical servers, where a reboot is possible,
sync to stable on all other servers and use binary
upgrades on systems that are very slow, or limited in
other ways.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420510301743i647969a3j9d77bdf609186a3c>