FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver
Colin Percival
cperciva at freebsd.org
Wed May 1 03:14:08 UTC 2013
On 04/30/13 19:43, Brett Glass wrote:
> When you use freebsd-update(8) in the usual manner, it fetches all of the
> source and binary updates necessary to bring the system up to the latest
> security patch level. When a userland binary is updated, it overwrites the
> source and binary. But when the kernel is updated, it moves /boot/kernel to
> /boot/kernel.old and then drops a GENERIC kernel into /boot/kernel. If
> there were no loadable modules in /boot/kernel at the start of the update,
> none are placed in /boot/kernel afterward. This is problematic, because
> the custom kernel that previously resided in /boot/kernel might have had some
> necessary modules built in... and they will not be available, either as
> compiled-in modules or as loadable modules, at the next reboot.
>
> To leave the system in a precarious state, where a power glitch could
> leave it unable to reboot, does not seem to me like a good idea. If
> /boot/GENERIC exists (which means that the administrator has built a custom
> kernel and saved the GENERIC kernel there), best to update /boot/GENERIC and
> leave the custom kernel in place, to be rebuilt if needed.
If you don't want freebsd-update to update your kernel, remove 'kernel' from
the 'Components' line in /etc/freebsd-update.conf.
--
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
More information about the freebsd-security
mailing list