About Patches
Jim Xochellis
dxoch at escape.gr
Mon Jun 23 03:24:22 PDT 2003
Many thanks Matthew, you have been very helpful.
Regards,
Jim Xochellis
On Monday, June 23, 2003, at 12:44 PM, Matthew Seaman wrote:
> On Mon, Jun 23, 2003 at 11:54:54AM +0300, Jim Xochellis wrote:
>> Hi List,
>>
>> I need to apply some security patches to my FreeBSD(i386) 4.7-RELEASE
>> box and I am concerned about the possibility that I could actually
>> harm
>> my system while trying to apply this patches. (I am not a Unix guru
>> actually)
>
> Fear not: security patches are very well tested and should do what
> they claim without unpleasant side effects. Even if there were
> problems with a patch in the early stages, it would soon be detected
> and corrected -- as there hasn't been a security patch since
> FreeBSD-SA-03:07.sendmail at the end of March, I don't think you have
> to worry on that score.
>
>> 1) Do I have to apply the security patches in a specific order?
>
> Preferably in the order that they were issued, although you can
> probably get away with a different order for patches that apply to
> distinct parts of the sources.
>
>> 2) Is there a chance were a patch requires a previous one? (In my case
>> some patches are not applicable)
>
> Source patches will generally be made against the previous patch level
> of which ever release branch is involved. So, yes, you will have to
> apply pre-requisite patches in some circumstances. Any necessary
> prerequisites will be documented in the advisory: Eg. see
>
>
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-
> 03%3A06.openssl.asc
>
> which states:
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 4.6,
> 4.7,
> and 5.0 systems which have already been patched for the issues
> resolved
> in FreeBSD-SA-03:02.openssl.
>
>> 3) What if the code is not in the state that the patch requires? (For
>> instance if I have updated that port)
>
> FreeBSD security advisories generally only apply to the base system,
> and patches will only be issued for the system sources. Security
> problems to do with ported software are usually announced via security
> notices. In general, you should use cvsup(1) to update your ports
> tree and a tool like portupgrade(1) to update any ports software.
>
> Note that ports don't follow the same -CURRENT, -STABLE, -RELEASE
> structure as the system sources. At most, all that happens is the
> ports tree will be tagged in CVS as a record of it's state when a
> particular release was made. When updating, you should simply aim to
> install the latest available versions of ported software.
>
> In fact, as a general mechanism to keep your system sources up to
> date, I'd recommend that you use cvsup(1) to track the RELENG_4_7
> branch. This will effectively act as an automated mechanism to apply
> the same security patches as released separately, but with less chance
> of operator error. See
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
> for instructions -- you should base any supfile you use on
> /usr/share/examples/cvsup/standard-supfile, which apart from not
> specifying which cvsup server to use is pretty much all you need to
> keep your 4.7-RELEASE sources up to date. (The ports-supfile in the
> same directory will do the equivalent for the ports sources.)
>
>> 4) Are the patches clever enough to protect me from harming my system?
>
> No. You need to take care and think about what you're doing while
> updating the system. Having said that, the patches aren't unduely
> difficult to use, and if you follow the instructions you'll be just
> fine.
>
>> 5) Is there a safe way to undo a patch?
>
> Make sure you have good backups, which you have tested to ensure you
> can recover the system.
>
> Cheers,
>
> Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
> Savill Way
> PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
> Tel: +44 1628 476614 Bucks., SL7 1TH
> UK
> <mime-attachment>
More information about the freebsd-questions
mailing list