Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Aug 2001 12:18:21 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Marcio d'Avila Scheibler <marcio@cpd.ufsm.br>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Help with Binary Upgrade Packages
Message-ID:  <20010824121821.A81523@xor.obsecurity.org>
In-Reply-To: <Pine.A41.4.05.10108241012310.27966-100000@saigon.cpd.ufsm.br>; from marcio@cpd.ufsm.br on Fri, Aug 24, 2001 at 11:02:17AM -0300
References:  <Pine.A41.4.05.10108241012310.27966-100000@saigon.cpd.ufsm.br>

next in thread | previous in thread | raw e-mail | index | archive | help

--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 24, 2001 at 11:02:17AM -0300, Marcio d'Avila Scheibler wrote:

> For instance, suppose we have two hipothetical advisories #102 and
> #105, with their respective binary upgrade packages, and due to
> the problem, both replaces same file, /usr/lib/somelib.so,
> but #102 also replaces other files that #105 does not and
> so on...
>=20
> Suppose that at a first time, I installed just=20
> patch-something-105.tgz, will  applied /usr/lib/somelib.so
> file also incorporate fix #102 ?

Not completely.  The #105 patch will only change /usr/lib/somelib.so
to include both fixes to that file, but that may break other binaries
which were patched by your #102.  This situation hasnt arisen yet in
RELENG_4_3, but we'd install a dependency in the package to make sure
you have #102 already installed so you can't shoot your foot ofg.

> At a second time time, I install a optional component/set/feature
> that I didn't need before. Since this optional component had
> some announced bugs, I needed install patch-something-102.tgz.

This is trickier to guard against.  If you do this, then you'll have
to remove and reapply all of the binary patches which apply to the new
files.

> Will we need to retrieve and install the complete sequence of
> binary upgrades no matter about not used features ?

If you're not using something and know you never will, and leaving it
unpatches won't compromise your system (e.g. you don't have local
users) it's theoretically safe to leave it unpatched.  Of course, it's
dangerous if you decide 2 months down the line to set up that feature,
and forget about the unpatched vulnerability.  Probably best to apply
them all and be safe.

Kris

--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7hqh9Wry0BWjoQKURAnPGAKCQQExKTKj8ijxGImzSJAZqKA5EmgCZATZ4
z5JGowvCj/NeK0lyNGJdKIA=
=/KCr
-----END PGP SIGNATURE-----

--C7zPtVaVf+AK4Oqc--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010824121821.A81523>