Re: Is it necessary to recompile OS to apply security patch?
Hi, Assuming the box is only a DNS server, then the simplest & easiest (in my option) is to take a copy of the DNS related files: - /etc/rc.conf.local - /var/named/* - noting also IP address, hostname etc etc and then reinstall the o/s from a recent snapshot (downloaded here ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/ or mirror), which has all the patches pre-applied. Then restore the above files. job done. if you're paranoid and unexperienced in unix, then grab a spare machine to do a dry run on that. /Pete On 29 Jul 2008, at 18:16, skogzort wrote: Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable, which seems to require that the entire OS be recompiled. Is this correct? Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? I dont mind doing all this since it will give me a chance to learn, its just that the more steps I have to take, the more chances there are for mistakes. I want to be sure that the way I plan to do the update is the simplest. Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle
Re: Is it necessary to recompile OS to apply security patch?
Assume this production server is running one of the supported releases, 4.2 or 4.3, you can obtain the latest patch via the errata page. http://openbsd.org/errata43.html For 4.2 it's errata #013, for 4.3 it's #004... if you run an earlier version, manually merging the patch may be required. >From the top of the 4.3 patch file: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch Apply by doing: cd /usr/src patch -p0 < 004_bind.patch Then rebuild and install bind: cd usr.sbin/bind make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install You'll only need to recompile then restart BIND, updating to -STABLE and compiling the kernel isn't required.. Now, your server may not have the source in /usr/src, you can either obtain it from the release CD-ROM or a local HTTP/FTP mirror.. src.tar.gz is the userland. sys.tar.gz is the kernel. Locate a mirror here: http://www.openbsd.org/ftp.html Take care, feel free to reply to the list for further assistance...
Is it necessary to recompile OS to apply security patch?
Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable, which seems to require that the entire OS be recompiled. Is this correct? Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? I dont mind doing all this since it will give me a chance to learn, its just that the more steps I have to take, the more chances there are for mistakes. I want to be sure that the way I plan to do the update is the simplest. Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle