On Wed, Jul 30, 2008 at 5:25 AM, Ingo Schwarze <[EMAIL PROTECTED]> wrote:
> Hi skogzort, > > Nick Guenther wrote on Tue, Jul 29, 2008 at 01:05:52PM -0400: > > On Tue, Jul 29, 2008 at 11:41 AM, skogzort <[EMAIL PROTECTED]> wrote: > > >> I know nothing/very little about OpenBSD or UNIX. I have been tasked > with > >> updating our OpenBSD DNS server with a security fix (Vulnerability Note > >> VU#800113- Multiple DNS implementations vulnerable to cache poisoning). > > That doesn't sound all too well. You have an OpenBSD server, > but you have nobody knowing more than very little about UNIX? > UNIX is easier to administer than Windows, but some learning > will be required... > > Quite probably, your server might be terribly out of date. > OpenBSD servers ought to be updated at least once a year. > Please look at the first line of the output of dmesg(8). > If the version number is lower than "OpenBSD 4.2", > you should upgrade the base system before applying patches. > In any case, you should establish a process for regular > updates of the server. The best times to update are > in May and November, just after the -stable releases. > In my experience, updating twice a year is easier and > less risky than just once: You get used to it. > Regularly ordering the CDs and just upgrading from CD > is the most convenient way to go. > > If your task is to maintain that server, carefully read > http://www.openbsd.org/cgi-bin/cvsweb/src/etc/root/root.mail?rev=HEAD > Have a quick look at the resources referenced there, > just to get an impression what is available. > The man pages, the FAQ and afterboot(8) are particularly useful. > > >> In order to do this it appears that I have to download the source code > >> re-compile the entire OS. Recompiling the OS seems to involve a lot of > >> steps. > > Don't compile the whole system from source unless you are actively > hacking on the base system (which clearly you aren't) or unless > you want to track -current using a single build for multiple servers. > As others told you, each errata patch contains instructions what > exactly must be rebuilt, and how. > > >> you don"t even have to reboot the server, > > That's indeed true in the present case, yes. > After patching named, you must restart named, > but rebooting would be useless. > > Of course, kernel patches require rebooting - > which applies to Windows machines as well, by the way. ;-) > > > Nick wrote: > > OpenBSD is mostly designed as a monolithic kernel. > > Please stop spreading misleading advice. > This has nothing to do with the kernel. > (Hopefully, skogzort didn't start building kernels yet.) > > Yours, > Ingo > > -- > Ingo Schwarze <[EMAIL PROTECTED]> > usta.de / studis.de system operation > *** Can we get a bind9 kernel module for OpenBSD any time soon? *** > > And I just learn that ISC was releasing -p2 patches for BIND to address stability and performance issues: http://isc.sans.org/diary.html?storyid=4816 -zamri-