Regards, Jim Xochellis
On Monday, June 23, 2003, at 12:44 PM, Matthew Seaman wrote:
On Mon, Jun 23, 2003 at 11:54:54AM +0300, Jim Xochellis wrote:Hi List,
I need to apply some security patches to my FreeBSD(i386) 4.7-RELEASE
box and I am concerned about the possibility that I could actually harm
my system while trying to apply this patches. (I am not a Unix guru
actually)
Fear not: security patches are very well tested and should do what they claim without unpleasant side effects. Even if there were problems with a patch in the early stages, it would soon be detected and corrected -- as there hasn't been a security patch since FreeBSD-SA-03:07.sendmail at the end of March, I don't think you have to worry on that score.
1) Do I have to apply the security patches in a specific order?
Preferably in the order that they were issued, although you can probably get away with a different order for patches that apply to distinct parts of the sources.
2) Is there a chance were a patch requires a previous one? (In my case some patches are not applicable)
Source patches will generally be made against the previous patch level of which ever release branch is involved. So, yes, you will have to apply pre-requisite patches in some circumstances. Any necessary prerequisites will be documented in the advisory: Eg. see
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA- 03%3A06.openssl.asc
which states:
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.6, 4.7,
and 5.0 systems which have already been patched for the issues resolved
in FreeBSD-SA-03:02.openssl.
3) What if the code is not in the state that the patch requires? (For instance if I have updated that port)
FreeBSD security advisories generally only apply to the base system, and patches will only be issued for the system sources. Security problems to do with ported software are usually announced via security notices. In general, you should use cvsup(1) to update your ports tree and a tool like portupgrade(1) to update any ports software.
Note that ports don't follow the same -CURRENT, -STABLE, -RELEASE structure as the system sources. At most, all that happens is the ports tree will be tagged in CVS as a record of it's state when a particular release was made. When updating, you should simply aim to install the latest available versions of ported software.
In fact, as a general mechanism to keep your system sources up to date, I'd recommend that you use cvsup(1) to track the RELENG_4_7 branch. This will effectively act as an automated mechanism to apply the same security patches as released separately, but with less chance of operator error. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html for instructions -- you should base any supfile you use on /usr/share/examples/cvsup/standard-supfile, which apart from not specifying which cvsup server to use is pretty much all you need to keep your 4.7-RELEASE sources up to date. (The ports-supfile in the same directory will do the equivalent for the ports sources.)
4) Are the patches clever enough to protect me from harming my system?
No. You need to take care and think about what you're doing while updating the system. Having said that, the patches aren't unduely difficult to use, and if you follow the instructions you'll be just fine.
5) Is there a safe way to undo a patch?
Make sure you have good backups, which you have tested to ensure you can recover the system.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
<mime-attachment>
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
