Date: Sat, 02 Oct 2010 09:09:02 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Updating bzip2 to remove potential security vulnerability Message-ID: <4CA6E89E.5040008@infracaninophile.co.uk> In-Reply-To: <20101001165940.5d0e73f5@scorpio> References: <20101001121332.5b04fa61@scorpio> <20101001171420.GE40148@dan.emsphone.com> <20101001165940.5d0e73f5@scorpio>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig7CB5696791FF9C0D3E943BA7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 01/10/2010 21:59:40, Jerry wrote: > On Fri, 1 Oct 2010 12:14:20 -0500 > Dan Nelson <dnelson@allantgroup.com> articulated: >=20 >> You must have missed=20 >> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ; >> patches for 6, 7, and 8 are available there, and freebsd-update has >> fixed binaries if you use that. >=20 > Never saw it. So I am assuming that simply using something like: >=20 > csup -L2 -h cvsup.FreeBSD.org "/usr/src/share/examples/cvsup/standard-s= upfile" >=20 > Then rebuild Kernel & World is not going to work. Is that correct? Not correct. csup(1) /after/ the date that fixes are published will obtain sources that contain the fixes on all affected and supported branches, including 8-STABLE and 9-CURRENT which aren't covered by freebsd-update(8). This will be documented in the security advisory, where they list the revision numbers (both SVN and CVS) at which the fixes were applied. You don't need to /both/ apply patches and use csup -- csup already contains the result of applying the patches. Patches are an alternative to csup, but the intended audience there is typically people running either heavily customized variants of the OS or installations with severely limited bandwidth or restricted internet connectivity. The majority of users should be using the standard update mechanisms -- csup or freebsd-update. Obviously, you will have to compile[*] and install the fixed software. Going through a full buildworld cycle will certainly do that, but in most cases you can achieve the required result by rebuilding and reinstalling significantly smaller chunks of the system. Again, procedures to do this should be described in the security advisory, together with any other requirements (eg. that you would have to reboot your system where there are significant changes to the kernel, or even to ubiquitous bits like libc.so.) Cheers, Matthew [*] Unless you're using freebsd-update, of course. --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig7CB5696791FF9C0D3E943BA7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkym6KUACgkQ8Mjk52CukIxccgCbBaqY2UJnfyjn7chN0LAraDMH XE8Al280ylubGTNtmK/MCCxEAUFej0g= =UM8g -----END PGP SIGNATURE----- --------------enig7CB5696791FF9C0D3E943BA7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CA6E89E.5040008>