On Tue, Jul 29, 2008 at 11:41 PM, skogzort <[EMAIL PROTECTED]> wrote:
> Is it necessary to recompile just to apply a security patch? > > Hello, > I know nothing/very little about OpenBSD or UNIX. I have been tasked with > updating our OpenBSD DNS server with a security fix (Vulnerability Note > VU#800113- Multiple DNS implementations vulnerable to cache poisoning). > > In order to do this it appears that I have to download the source code > re-compile the entire OS. Recompiling the OS seems to involve a lot of > steps. > Before I continue to read through them all, I just want to confirm that it > is > actually necessary to do all of this, simply to apply a security patch: > > Down load the tree.. > Pre load the tree.. > Build the Kernel.. > Build the userland.. > Etc. > > The only thing we use the server for is DNS. I don"t know what Flavor we > are > running, since its on a production server I assume it will be * release or > * > stable, either way from what I"ve read so far it looks like in order to > apply > this security patch I will have to update it to * stable. > > Is it true that the only way to apply this patch is to recompile the entire > OS, and go through all the steps above? I"m only familiar with Windows, > where > you just push a button to apply a security patch and you don"t even have to > reboot the server, so I was thinking that I may be misunderstanding what > I"m > reading. > > Thanks very much for your time and any info > > Kyle > > > The first step is you need to identify which version of OpenBSD that you're running right now, and apply suitable patches to your system. For latest DNS patches, OpenBSD developers were releasing two version of security fixes for 4.2 and 4.3. Just follow the given instruction at the top/head of every patch. http://www.openbsd.org/errata43.html ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch http://www.openbsd.org/errata42.html ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/013_bind.patch And you may check archive, couple of days ago, iirc someone reported they were successfully updating their DNS in 4.1 by using patch from 4.2. And finally, probably you need to read about this too (not sure either the above patches will affect DNS performance in OpenBSD, but someone just reporting it about some issue with Ironport, check archive): http://marc.info/?l=bind-users&m=121726908015389&w=2 -- Thank you. Zamri Besar
