FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver
Dag-Erling Smørgrav
des at des.no
Wed May 1 08:59:50 UTC 2013
Melanie Schulte <m-freebsd at fuglos.org> writes:
> Could you please elaborate on that? I have also built my own kernel on
> my servers and I must have missed the section in the handbook saying
> that running a custom kernel implies that freebsd-update should not be
> used.
>
> Given a security problem, I don't want to spend hours recompiling my
> base system whereas freebsd-update fixed the problem in seconds.
If you run a stock userland on a custom kernel, freebsd-update will
patch your userland but not your kernel.
If you must build your own kernel, my recommendation is to install it in
a different directory, e.g. /boot/MYKERNEL, instead of /boot/kernel.
That way, freebsd-update will keep the original GENERIC kernel (still in
/boot/kernel) up-to-date, and in a pinch, you can switch back.
The easiest way to do this is to append the following lines to
/etc/src.conf before building your kernel for the first time:
KERNCONF=MYKERNEL
KODIR=/boot/${KERNCONF}
You will also need to add this to /boot/loader.conf so the correct kenel
will be loaded at boot time:
kernel="MYKERNEL"
If you built your kernel from the source tree that came with the
release, freebsd-update will have updated the source tree, and all you
need to do is rebuild and reinstall the kernel. In most cases, you can
get away with "make buildkernel -DKERNFAST", which should only take a
few seconds. KERNFAST is safe when you've only changed the contents of
a source file, but not your kernel configuration or anything that
affects the dependency graph (especially anything under sys/conf).
If you checked out your source tree from svn, however, you should tell
freebsd-update to leave it alone (remove "src" from the "Components"
line in /etc/freebsd-update.conf), and update it yourself with "svn up".
You should also remove "src" from the "Components" line if you do not
have a source tree at all. Otherwise, freebsd-update may become
confused by updates that add a source file, like the OpenSSL update did.
Updates that modify a file aren't an issue, because freebsd-update will
ignore missing files.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list