From owner-freebsd-questions@FreeBSD.ORG Sun Feb 19 11:18:01 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E622B1065670 for ; Sun, 19 Feb 2012 11:18:01 +0000 (UTC) (envelope-from olivares14031@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id A5C8E8FC13 for ; Sun, 19 Feb 2012 11:18:01 +0000 (UTC) Received: by iaeo4 with SMTP id o4so8395722iae.13 for ; Sun, 19 Feb 2012 03:18:01 -0800 (PST) Received-SPF: pass (google.com: domain of olivares14031@gmail.com designates 10.50.159.161 as permitted sender) client-ip=10.50.159.161; Authentication-Results: mr.google.com; spf=pass (google.com: domain of olivares14031@gmail.com designates 10.50.159.161 as permitted sender) smtp.mail=olivares14031@gmail.com; dkim=pass header.i=olivares14031@gmail.com Received: from mr.google.com ([10.50.159.161]) by 10.50.159.161 with SMTP id xd1mr6845197igb.15.1329650281073 (num_hops = 1); Sun, 19 Feb 2012 03:18:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=qsmRtEhY0RW/6AhF/7dHn4EQYwspun0gpnOLPgZURJ8=; b=rtXKdkxWK1sjr5RUpQ6S4wGKJsD+hsKkOOe6tgHC/GcUjD+dNKqaugEw2/DyIk2UGP y2tTDGqsh3A/ae+pvtufYtmDABIfRaa3ORz7LIFrM4R3EzNh8LZdNpQ8vdGv5NXfnwIL WpZz69JFGnrSc/L1TpjVlVLNtLFTl6SY0RUv0= MIME-Version: 1.0 Received: by 10.50.159.161 with SMTP id xd1mr5536969igb.15.1329650279696; Sun, 19 Feb 2012 03:17:59 -0800 (PST) Received: by 10.50.222.227 with HTTP; Sun, 19 Feb 2012 03:17:59 -0800 (PST) In-Reply-To: <4F40CD81.1000708@infracaninophile.co.uk> References: <201202190204.q1J24gJx080884@mail.r-bonomi.com> <4F40CD81.1000708@infracaninophile.co.uk> Date: Sun, 19 Feb 2012 05:17:59 -0600 Message-ID: From: Antonio Olivares To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2012 11:18:02 -0000 On Sun, Feb 19, 2012 at 4:22 AM, Matthew Seaman wrote: > On 19/02/2012 02:06, Antonio Olivares wrote: >> On Sat, Feb 18, 2012 at 8:04 PM, Robert Bonomi wrote: >>> >>> Antonio, >>> =A0The 'upgrade' from _P5_ to P6 did not touch the kernel, hence the ke= rnel ID >>> did not change. >>> >>> =A0Going from P3 =A0you should have seen a kernel update. >>> >>> =A0what do you see if you do "strings /boot/kernel/kernel |grep 8" >> >> It is a big file so I'll paste it to pastebin temporarily: >> >> http://pastebin.com/K1PsTa0P > > Heh. =A0The interesting bit is on line 4301 -- the last line of that > output. =A0A slightly more selective grep term would have been a good ide= a. > > Anyhow, that shows the kernel on your system is 8.2-RELEASE-p3. =A0Which > implies that something ain't right somewhere. > > Four possibilities, roughly in order of severity: > > =A0 1) None of the security patches between p3 and p6 did actually > =A0 =A0 =A0touch the kernel. =A0You can tell if this was the case by look= ing > =A0 =A0 =A0at the list of modified files in the security advisory. =A0The > =A0 =A0 =A0kernel is affected if any files under sys have been > =A0 =A0 =A0modified other than src/sys/conf/newvers.sh > > =A0 =A0 =A0The last advisory that did touch the kernel was > =A0 =A0 =A0http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.a= sc > > =A0 =A0 =A0which should have given you 8.2-RELEASE-p4. =A0However -- see > =A0 =A0 =A0below. > > =A0 2) An oversight in the freebsd-update process upstream meaning that > =A0 =A0 =A0the operational patches were applied, but not the changes to t= he > =A0 =A0 =A0kernel version number when the replacement kernel was compiled= . > =A0 =A0 =A0Unlikely, as newvers.sh is always updated on each of the secur= ity > =A0 =A0 =A0branches even if the update doesn't touch the kernel. > > =A0 3) You've told freebsd-update not to touch your kernel. =A0Unlikely, > =A0 =A0 =A0and not in the default config, but useful where people need to > =A0 =A0 =A0use a custom kernel and maintain the rest of the system with > =A0 =A0 =A0freebsd-update. > > =A0 =A0 =A0In this case, you'ld have modified /etc/freebsd-update.conf to > =A0 =A0 =A0change: > > =A0 =A0 =A0 =A0Components src world kernel > > =A0 =A0 =A0to read: > > =A0 =A0 =A0 =A0Components src world > > =A0 =A0 =A0Also you should be expecting to have to rebuild your kernel fr= om > =A0 =A0 =A0sources, so I doubt this is the case. /etc/freebsd-update.conf has: =3D=3D=3D=3D=3Dline 1 col 0 lines from top 1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D # $FreeBSD: src/etc/freebsd-update.conf,v 1.6.2.2.6.1 2010/12/21 17:09:25 k= ensmi # Trusted keyprint. Changing this is a Bad Idea unless you've received # a PGP-signed email from telling you to # change it and explaining why. KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5 # Server or server pool from which to fetch updates. You can change # this to point at a specific server if you want, but in most cases # using a "nearby" server won't provide a measurable improvement in # performance. ServerName update.FreeBSD.org # Components of the base system which should be kept updated. Components src world kernel ..... removed to save space .... > > =A0 4) The kernel wasn't patched properly and hasn't been updated and > =A0 =A0 =A0you're still vulnerable. > > Now, I believe that in fact the situation is in fact as described in > option (1) -- none of the patches since p3 have touched the kernel > distributed through freebsd-update. =A0(2) and (4) can be discounted -- i= f > such egregious mistakes had been made, they would long ago have been > noticed and corrected. > > Here is the thing I alluded to under option (1). =A0The security patch fo= r > the unix domain socket problem came out in two chunks. =A0There was an > original patch to fix the actual security problem, then a later followup > patch to fix a bug that exposed in the linux emulation layer. =A0It is > possible to tell this from the text of the advisory as it exists at the > moment, but you might not see it unless you are looking for it. =A0The > important bit of text is this: > > =A0NOTE: The patch distributed at the time of the original advisory fixed > =A0the security vulnerability but exposed the pre-existing bug in the > =A0linux emulation subsystem. =A0Systems to which the original patch was > =A0applied should be patched with the following corrective patch, which > =A0contains only the additional changes required to fix the newly- > =A0exposed linux emulation bug: > > Given that the second part of the patch was actually not a security fix, > there would not have been a modified kernel distributed. =A0So you got a > bundle of three advisories issued together on 2011-09-28 resulting in > FreeBSD 8.2-RELEASE-p3. =A0Then later on, at 2011-10-04 a further update > was issued modifying FreeBSD-SA-11:05-unix and technically taking the > system to FreeBSD 8.2-RELEASE-p4. =A0However, as this was not a security > fix, it was not applied to the freebsd-update distribution channel. =A0As > none of the updates since then have touched the kernel, it will still > show -p3 even though you are in fact fully patched against all known > security problems. I hope this is the case, but that -p3 makes me think? I am hesistant to move to 9.0-RELEASE as of yet. There will apparently be an 8.3-RELEASE and I am not sure whether I have to rebuild all ports if I update to newer release. I have read some places that one does not have to rebuild all ports, and just install compat8.x/ special port. In FreeBSD Handbook, it still recommends to rebuild all ports. It took me a while to get going last time I moved from 8.1-RELEASE to 8.2-RELEASE, so I am hesistant to do it :( And not being sure about this, I am in the thinking process of what should I do. > > =A0 =A0 =A0 =A0Cheers, > > =A0 =A0 =A0 =A0Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 7 Pri= ory Courtyard > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey =A0 =A0 Ramsgate > JID: matthew@infracaninophile.co.uk =A0 =A0 =A0 =A0 =A0 =A0 =A0 Kent, CT1= 1 9PW > Thank you very much for your kind explanation and hopefully I am in the (4) category. How does one know when a new 8.2-RELEASE-pX, has been released? where X is a number >=3D 6? Regards, Antonio