From owner-freebsd-questions@FreeBSD.ORG Mon Jun 23 03:24:22 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3603637B401 for ; Mon, 23 Jun 2003 03:24:22 -0700 (PDT) Received: from hypernet.hyper.net (hypernet.hyper.net [193.218.1.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0684C43FCB for ; Mon, 23 Jun 2003 03:24:17 -0700 (PDT) (envelope-from dxoch@escape.gr) Received: from escape.gr (bus.hyper.gr [193.218.2.30])h5N9ht809352; Mon, 23 Jun 2003 12:43:56 +0300 Date: Mon, 23 Jun 2003 13:23:12 +0300 Mime-Version: 1.0 (Apple Message framework v552) To: Matthew Seaman From: Jim Xochellis In-Reply-To: <20030623094444.GB27760@happy-idiot-talk.infracaninophile.co.uk> Message-Id: X-Mailer: Apple Mail (2.552) Content-Type: text/plain; delsp=yes; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-questions@freebsd.org Subject: Re: About Patches X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2003 10:24:22 -0000 Many thanks Matthew, you have been very helpful. Regards, Jim Xochellis On Monday, June 23, 2003, at 12:44 PM, Matthew Seaman wrote: > On Mon, Jun 23, 2003 at 11:54:54AM +0300, Jim Xochellis wrote: >> Hi List, >> >> I need to apply some security patches to my FreeBSD(i386) 4.7-RELEASE >> box and I am concerned about the possibility that I could actually >> harm >> my system while trying to apply this patches. (I am not a Unix guru >> actually) > > Fear not: security patches are very well tested and should do what > they claim without unpleasant side effects. Even if there were > problems with a patch in the early stages, it would soon be detected > and corrected -- as there hasn't been a security patch since > FreeBSD-SA-03:07.sendmail at the end of March, I don't think you have > to worry on that score. > >> 1) Do I have to apply the security patches in a specific order? > > Preferably in the order that they were issued, although you can > probably get away with a different order for patches that apply to > distinct parts of the sources. > >> 2) Is there a chance were a patch requires a previous one? (In my case >> some patches are not applicable) > > Source patches will generally be made against the previous patch level > of which ever release branch is involved. So, yes, you will have to > apply pre-requisite patches in some circumstances. Any necessary > prerequisites will be documented in the advisory: Eg. see > > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA- > 03%3A06.openssl.asc > > which states: > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 4.6, > 4.7, > and 5.0 systems which have already been patched for the issues > resolved > in FreeBSD-SA-03:02.openssl. > >> 3) What if the code is not in the state that the patch requires? (For >> instance if I have updated that port) > > FreeBSD security advisories generally only apply to the base system, > and patches will only be issued for the system sources. Security > problems to do with ported software are usually announced via security > notices. In general, you should use cvsup(1) to update your ports > tree and a tool like portupgrade(1) to update any ports software. > > Note that ports don't follow the same -CURRENT, -STABLE, -RELEASE > structure as the system sources. At most, all that happens is the > ports tree will be tagged in CVS as a record of it's state when a > particular release was made. When updating, you should simply aim to > install the latest available versions of ported software. > > In fact, as a general mechanism to keep your system sources up to > date, I'd recommend that you use cvsup(1) to track the RELENG_4_7 > branch. This will effectively act as an automated mechanism to apply > the same security patches as released separately, but with less chance > of operator error. See > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html > for instructions -- you should base any supfile you use on > /usr/share/examples/cvsup/standard-supfile, which apart from not > specifying which cvsup server to use is pretty much all you need to > keep your 4.7-RELEASE sources up to date. (The ports-supfile in the > same directory will do the equivalent for the ports sources.) > >> 4) Are the patches clever enough to protect me from harming my system? > > No. You need to take care and think about what you're doing while > updating the system. Having said that, the patches aren't unduely > difficult to use, and if you follow the instructions you'll be just > fine. > >> 5) Is there a safe way to undo a patch? > > Make sure you have good backups, which you have tested to ensure you > can recover the system. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > PGP: http://www.infracaninophile.co.uk/pgpkey Marlow > Tel: +44 1628 476614 Bucks., SL7 1TH > UK >