Date: Mon, 23 Dec 2002 16:24:29 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Re: how to check a revision of a file Message-ID: <20021223162429.GA17603@happy-idiot-talk.infracaninophi> In-Reply-To: <000201c2aa93$e5f72910$952b6e94@lucifer> References: <000201c2aa93$e5f72910$952b6e94@lucifer>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 23, 2002 at 03:59:31PM +0100, Didier Wiroth wrote: > I was reading this security advisorie: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:43.bind.asc > > At the end of the file you can read for example this information: > src/contrib/bind/CHANGES > RELENG_4 1.1.1.7.2.8 > RELENG_4_7 1.1.1.7.2.7.2.1 > RELENG_4_6 1.1.1.7.2.6.2.2 > RELENG_4_5 1.1.1.7.2.4.4.2 > RELENG_4_4 1.1.1.7.2.4.2.2 > src/contrib/bind/bin/named/db_defs.h > RELENG_4 1.1.1.2.2.6 > RELENG_4_7 1.1.1.2.2.5.2.1 > RELENG_4_6 1.1.1.2.2.4.2.2 > RELENG_4_5 1.1.1.2.2.3.4.2 > RELENG_4_4 1.1.1.2.2.3.2.2 > etc... > I'm using 4.7-Release and I was wondering if my sources where uptodate! I > looked at my /usr/src/contrib/bind... files but I could not find any kind of > "Revision" numbers for example db_defs.h started with: > * from db.h 4.16 (Berkeley) 6/1/90 > * $Id: db_defs.h,v 8.47 2002/05/18 01:02:53 marka Exp $ > */ > There were no "revision" annotations anywhere in the file: > > How do you find out if you have the correct sources of the files before > recompiling and installing? Usually all you need to do is find the $FreeBSD label in the file, eg. % grep -F '$FreeBSD' /usr/src/UPDATING $FreeBSD: src/UPDATING,v 1.73.2.76 2002/11/20 16:56:45 bmah Exp $ Any file originating from the FreeBSD project will have a revision label like that, as will many files imported from other sources. However, as you correctly observe, some contributed sources don't contain the revision label. In this case you've got to go to a FreeBSD cvs repository and grab a copy of the appropriate version of the file and compare it directly with what you have on your system. eg. http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/contrib/bind/CHANGES?rev=1.1.1.7.2.8 Download the appropriate version, and diff(1) it against the version in your source tree. If it's the same, then you're happy. If there are differences, you're going to have to use the cvsweb.cgi interface to see if it corresponds to an earlier or later version of the file than shown in the advisory, and act accordingly. Alternatively, look at the dates that fixes were applied as notified in the advisory: if you last cvsup'd using one of the listed tags after the given date (and did a {build,install}world cycle) then you're in the clear. In the specific case you mention, 4.7-RELEASE does contain the vulnerability in question. Those are the files in CVS tagged with RELENG_4_7_0_RELEASE. Your best option is probably to upgrade to 4.7-RELEASE-p2 which is the latest version on the RELENG_4_7 branch and contains only minimal changes (all of which are security fixes) compared to 4.7-RELEASE. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021223162429.GA17603>