From owner-freebsd-questions@FreeBSD.ORG  Sat Oct  2 08:09:14 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 605C01065670
	for <freebsd-questions@freebsd.org>;
	Sat,  2 Oct 2010 08:09:14 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id B02138FC0A
	for <freebsd-questions@freebsd.org>;
	Sat,  2 Oct 2010 08:09:13 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id
	o92899qE001952
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>;
	Sat, 2 Oct 2010 09:09:09 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o92899qE001952
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1286006949;
	bh=9y9LJ1ooEhM9+m2v4851bl3I1x6Z4ou4q1M03sTie0w=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4CA6E89E.5040008@infracaninophile.co.uk>|Date:=20S
	at,=2002=20Oct=202010=2009:09:02=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Mozilla/5.0=20(Macintosh=3B=20U=3B=20Intel=20Mac=
	20OS=20X=2010.6=3B=20en-GB=3B=20rv:1.9.2.9)=20Gecko/20100915=20Thu
	nderbird/3.1.4|MIME-Version:=201.0|To:=20freebsd-questions@freebsd
	.org|Subject:=20Re:=20Updating=20bzip2=20to=20remove=20potential=2
	0security=20vulnerability|References:=20<20101001121332.5b04fa61@s
	corpio>=09<20101001171420.GE40148@dan.emsphone.com>=20<20101001165
	940.5d0e73f5@scorpio>|In-Reply-To:=20<20101001165940.5d0e73f5@scor
	pio>|X-Enigmail-Version:=201.1.1|OpenPGP:=20id=3D60AE908C|Content-
	Type:=20multipart/signed=3B=20micalg=3Dpgp-sha1=3B=0D=0A=20protoco
	l=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"-----------
	-enig7CB5696791FF9C0D3E943BA7";
	b=VvOUEAueabhRKfSAlRfbIjLqsy6tz+ZXIQR1OxvkLOwKwigyxX3W26lGDk8DYa24D
	RBPA6FO5wEDCM98YwGXtkFgV5tUjva4VamGaFHcAv2bQ9jY2CJfHzoSt3NbIrO40De
	0NN0TRFanYL0S40Wbo+ue2dbQX6Q3h6tmvd2NbT4=
Message-ID: <4CA6E89E.5040008@infracaninophile.co.uk>
Date: Sat, 02 Oct 2010 09:09:02 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB;
	rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <20101001121332.5b04fa61@scorpio>	<20101001171420.GE40148@dan.emsphone.com>
	<20101001165940.5d0e73f5@scorpio>
In-Reply-To: <20101001165940.5d0e73f5@scorpio>
X-Enigmail-Version: 1.1.1
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig7CB5696791FF9C0D3E943BA7"
X-Virus-Scanned: clamav-milter 0.96.3 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	lucid-nonsense.infracaninophile.co.uk
Subject: Re: Updating bzip2 to remove potential security vulnerability
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Oct 2010 08:09:14 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7CB5696791FF9C0D3E943BA7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 01/10/2010 21:59:40, Jerry wrote:
> On Fri, 1 Oct 2010 12:14:20 -0500
> Dan Nelson <dnelson@allantgroup.com> articulated:
>=20
>> You must have missed=20
>> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
>> patches for 6, 7, and 8 are available there, and freebsd-update has
>> fixed binaries if you use that.
>=20
> Never saw it. So I am assuming that simply using something like:
>=20
> csup -L2 -h cvsup.FreeBSD.org "/usr/src/share/examples/cvsup/standard-s=
upfile"
>=20
> Then rebuild Kernel & World is not going to work. Is that correct?

Not correct.  csup(1) /after/ the date that fixes are published will
obtain sources that contain the fixes on all affected and supported
branches, including 8-STABLE and 9-CURRENT which aren't covered by
freebsd-update(8).  This will be documented in the security advisory,
where they list the revision numbers (both SVN and CVS) at which the
fixes were applied.

You don't need to /both/ apply patches and use csup -- csup already
contains the result of applying the patches.  Patches are an alternative
to csup, but the intended audience there is typically people running
either heavily customized variants of the OS or installations with
severely limited bandwidth or restricted internet connectivity.  The
majority of users should be using the standard update mechanisms -- csup
or freebsd-update.

Obviously, you will have to compile[*] and install the fixed software.
Going through a full buildworld cycle will certainly do that, but in
most cases you can achieve the required result by rebuilding and
reinstalling significantly smaller chunks of the system.  Again,
procedures to do this should be described in the security advisory,
together with any other requirements (eg. that you would have to reboot
your system where there are significant changes to the kernel, or even
to ubiquitous bits like libc.so.)

	Cheers,

	Matthew

[*] Unless you're using freebsd-update, of course.

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig7CB5696791FF9C0D3E943BA7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAkym6KUACgkQ8Mjk52CukIxccgCbBaqY2UJnfyjn7chN0LAraDMH
XE8Al280ylubGTNtmK/MCCxEAUFej0g=
=UM8g
-----END PGP SIGNATURE-----

--------------enig7CB5696791FF9C0D3E943BA7--