FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver
Brett Glass
brett at lariat.org
Wed May 1 02:43:49 UTC 2013
At 08:22 PM 4/30/2013, Glen Barber wrote:
>Maybe I am missing the fundamental usage of freebsd-update(8). How does
>using freebsd-update(8) to fetch src/ updates install a new kernel?
When you use freebsd-update(8) in the usual manner, it fetches all of the
source and binary updates necessary to bring the system up to the latest
security patch level. When a userland binary is updated, it overwrites the
source and binary. But when the kernel is updated, it moves /boot/kernel to
/boot/kernel.old and then drops a GENERIC kernel into /boot/kernel. If
there were no loadable modules in /boot/kernel at the start of the update,
none are placed in /boot/kernel afterward. This is problematic, because
the custom kernel that previously resided in /boot/kernel might have had some
necessary modules built in... and they will not be available, either as
compiled-in modules or as loadable modules, at the next reboot.
To leave the system in a precarious state, where a power glitch could
leave it unable to reboot, does not seem to me like a good idea. If
/boot/GENERIC exists (which means that the administrator has built a custom
kernel and saved the GENERIC kernel there), best to update /boot/GENERIC and
leave the custom kernel in place, to be rebuilt if needed.
The administrator will probably want to rebuild his or her custom kernel
after the update... unless it didn't contain the code that was fixed by
the patch, in which case there's no need. (My kernel didn't contain NFS,
and I didn't build any loadable NFS modules, so I actually didn't need a
rebuild.)
--Brett Glass
More information about the freebsd-security
mailing list