Date: Fri, 1 Oct 2010 17:26:27 -0400 From: Jerry <freebsd.user@seibercom.net> To: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Updating bzip2 to remove potential security vulnerability Message-ID: <20101001172627.395ce647@scorpio> In-Reply-To: <20101001210014.GD86640@eggman.experts-exchange.com> References: <20101001121332.5b04fa61@scorpio> <20101001171420.GE40148@dan.emsphone.com> <20101001165940.5d0e73f5@scorpio> <20101001210014.GD86640@eggman.experts-exchange.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 1 Oct 2010 14:00:16 -0700 Jason <jhelfman@e-e.com> articulated: > On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake: > >On Fri, 1 Oct 2010 12:14:20 -0500 > >Dan Nelson <dnelson@allantgroup.com> articulated: > > > >> You must have missed > >> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ; > >> patches for 6, 7, and 8 are available there, and freebsd-update has > >> fixed binaries if you use that. > > > >Never saw it. So I am assuming that simply using something like: > > > >csup -L2 -h cvsup.FreeBSD.org > >"/usr/src/share/examples/cvsup/standard-supfile" > > > >Then rebuild Kernel & World is not going to work. Is that correct? > > The update instructions are in the announcement. Here is a snippet > from it: > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch > # fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libbz2 > # make obj && make depend && make && make install > > NOTE: On the amd64 platform, the above procedure will not update the > lib32 (i386 compatibility) libraries. On amd64 systems where the i386 > compatibility libraries are used, the operating system should instead > be recompiled as described in > <URL:http://www.FreeBSD.org/handbook/makeworld.html>; > > 3) To update your vulnerable system via a binary patch: > > Systems running 6.4-RELEASE, 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or > 8.1-RELEASE on the i386 or amd64 platforms can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install I all ready read that. If you reread my post, I was inquiring about simply downloading the source tree and then rebuilding world. The portion regarding amd64 systems pertains to me. Notice: <quote> On the amd64 platform, the above procedure will not update the > lib32 (i386 compatibility) libraries. On amd64 systems where the i386 > compatibility libraries are used, the operating system should instead > be recompiled as described in > <URL:http://www.FreeBSD.org/handbook/makeworld.html>; </quote> Am I to infer that I could simply download the sources and rebuild world, or do I have to download the patches first? It would appear that I can simply update the sources and rebuild my kernel & world. Your post failed to address the question I posed. -- Jerry ✌ FreeBSD.user@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101001172627.395ce647>