you could save some time and energy by using the 4.3-stable release from ftp://ftp.su.se/pub/mirrors/openbsd_stable/4.3-stable/ as this has the errata/patches applied...
2008/7/30, Nick Guenther <[EMAIL PROTECTED]>: > On Wed, Jul 30, 2008 at 2:43 PM, skogzort <[EMAIL PROTECTED]> wrote: >> Hello, >> Ib m trying to protect our DNS server from the vulnerability referred to >> in: >> CVE -2008-1447 and US-Cert Vulnerability Note VU#800113. I see that there >> is a >> patch for BIND in 4.2 and 4.3 that addresses this vulnerability, but not >> for >> 3.8. >> I have inherited an Open BSD DNS server that provides external DNS for our >> web >> server and serves NTP for our infrastructure. I donb t know UNIX or Open >> BSD. >> Ib m reading through the Open BSD website and asking questions on the >> mailing >> lists to try and get an overview of what I need to do to >> upgrade/update/patch >> this server.B >> It was suggested to me that I may have to b manually merge the patchb , >> but >> I canb t find any instructions for that. I know that if I could upgrade >> our >> release to 4.2 or 4.3 then I could follow the instructions in the patch >> itself, but I wonder if that would be more work and potential for mistakes >> then necessary. > > No, do it that way. Upgrade your system cleanly. As a bonus, any other > bugs/security holes that got fixed along the way will also be fixed > for you. > Since your system is so old, the best route for you is to just do a > fresh install and then paste in the NTP and DNS config files (and turn > named and ntpd back on in /etc/rc.conf). > >> I was also told to use b portsb , but I read that using >> ports was only for people who have experience with Open BSD and beginners >> were >> not allowed to ask questions in mailing lists about using ports. >> What do you think: manually merge the patch, upgrade to 4.2 or 4.3 and >> apply, >> or use "ports"? > > named is a part of the base system, so it is not in ports. ports are > all the other programs you can install on the systems > >> My inexperience is a factor, I am looking for the shortest steps (so there >> will be less chance for error) that will still allow for a quick revert, >> should the b fixb fail. > > BACKUP, do you has it? > Why don't you create the system in a virtual machine first and test it > there? Once its working copy it out to a fresh disk, replace the disk > in the box with that disk, make it work there, and -only then- do you > wipe the old server disk and put it back on your extras rack. That's > way safer than trying to do this to your live system. > > Good luck, I know that the initial learning curve is very steep, and > doing this on a deadline must be a lot of stress. > -Nick
