From owner-freebsd-security Fri Aug 24 12:18:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 9745B37B40B for ; Fri, 24 Aug 2001 12:18:22 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2299166D1C; Fri, 24 Aug 2001 12:18:22 -0700 (PDT) Date: Fri, 24 Aug 2001 12:18:21 -0700 From: Kris Kennaway To: Marcio d'Avila Scheibler Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help with Binary Upgrade Packages Message-ID: <20010824121821.A81523@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marcio@cpd.ufsm.br on Fri, Aug 24, 2001 at 11:02:17AM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 24, 2001 at 11:02:17AM -0300, Marcio d'Avila Scheibler wrote: > For instance, suppose we have two hipothetical advisories #102 and > #105, with their respective binary upgrade packages, and due to > the problem, both replaces same file, /usr/lib/somelib.so, > but #102 also replaces other files that #105 does not and > so on... >=20 > Suppose that at a first time, I installed just=20 > patch-something-105.tgz, will applied /usr/lib/somelib.so > file also incorporate fix #102 ? Not completely. The #105 patch will only change /usr/lib/somelib.so to include both fixes to that file, but that may break other binaries which were patched by your #102. This situation hasnt arisen yet in RELENG_4_3, but we'd install a dependency in the package to make sure you have #102 already installed so you can't shoot your foot ofg. > At a second time time, I install a optional component/set/feature > that I didn't need before. Since this optional component had > some announced bugs, I needed install patch-something-102.tgz. This is trickier to guard against. If you do this, then you'll have to remove and reapply all of the binary patches which apply to the new files. > Will we need to retrieve and install the complete sequence of > binary upgrades no matter about not used features ? If you're not using something and know you never will, and leaving it unpatches won't compromise your system (e.g. you don't have local users) it's theoretically safe to leave it unpatched. Of course, it's dangerous if you decide 2 months down the line to set up that feature, and forget about the unpatched vulnerability. Probably best to apply them all and be safe. Kris --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7hqh9Wry0BWjoQKURAnPGAKCQQExKTKj8ijxGImzSJAZqKA5EmgCZATZ4 z5JGowvCj/NeK0lyNGJdKIA= =/KCr -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message