Re: Way to be announced about security updates and new releases
On Wed, Aug 21, 2013, at 1:54, Antonio Kless wrote: Is there any way to be noticed, when security updates or new releases are available? https://twitter.com/freebsd nearly would be a solution, if it did not repostquestions from its subscribers and other information that is not related to updates. http://twitter.com/freebsdsecurity is probably what you're looking for. There are several twitter accounts run by FreeBSD members ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Way to be announced about security updates and new releases
http://www.freebsd.org/security/rss.xml ? Peter On 21/08/2013 09:54, Antonio Kless wrote: Is there any way to be noticed, when security updates or new releases are available? https://twitter.com/freebsd nearly would be a solution, if it did not repostquestions from its subscribers and other information that is not related to updates. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Way to be announced about security updates and new releases
FreeBSD announce mailing list... Sexurity announcement (at least) are also cross posted on FreeBSD questions. Olivier On Tue, Aug 27, 2013 at 9:34 PM, Zyumbilev, Peter pe...@aboutsupport.com wrote: http://www.freebsd.org/security/rss.xml ? Peter On 21/08/2013 09:54, Antonio Kless wrote: Is there any way to be noticed, when security updates or new releases are available? https://twitter.com/freebsd nearly would be a solution, if it did not repostquestions from its subscribers and other information that is not related to updates. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Way to be announced about security updates and new releases
Is there any way to be noticed, when security updates or new releases are available? https://twitter.com/freebsd nearly would be a solution, if it did not repostquestions from its subscribers and other information that is not related to updates. -- Best regards, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Way to be announced about security updates and new releases
On Wednesday 21 August 2013 07:54:06 Antonio Kless wrote: Is there any way to be noticed, when security updates or new releases are available? https://twitter.com/freebsd nearly would be a solution, if it did not repostquestions from its subscribers and other information that is not related to updates. Mailing list freebsd-annou...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Way to be announced about security updates and new releases
On 21/08/2013 08:10, dgmm wrote: On Wednesday 21 August 2013 07:54:06 Antonio Kless wrote: Is there any way to be noticed, when security updates or new releases are available? https://twitter.com/freebsd nearly would be a solution, if it did not repostquestions from its subscribers and other information that is not related to updates. Mailing list freebsd-annou...@freebsd.org Don't forget about securing your ports too. There's several available mechanisms: RSS feed from vuxml.freebsd.org portaudit(1) -- for old style packages pkg audit -- for pkgng-ized systems Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Again: Security updates of individual porst
Oops, the security update issue isn't solved. http://lists.freebsd.org/pipermail/freebsd-questions/2013-January/248511.html # /usr/local/sbin/portaudit -Fda Database created: Thu Jan 24 15:50:04 CET 2013 Affected package: chromium-24.0.1312.52 Type of problem: chromium -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/8d03202c-6559-11e2-a389-00262d5ed8ee.html # portmaster /usr/ports/www/chromium/ === chromium-24.0.1312.52 has known vulnerabilities: Affected package: chromium-24.0.1312.52 Type of problem: chromium -- multiple vulnerabilities. Reference: http://portaudit.FreeBSD.org/8d03202c-6559-11e2-a389-00262d5ed8ee.html = Please update your ports tree and try again. *** [check-vulnerable] Error code 1 Stop in /usr/ports/www/chromium. *** [build] Error code 1 Stop in /usr/ports/www/chromium. === make failed for www/chromium === Aborting update Terminated === You can restart from the point of failure with this command line: portmaster flags www/chromium So I have to # portsnap fetch update? If so, wouldn't it cause dependency issues, if I wouldn't update all ports? Regards, Ralf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Again: Security updates of individual porst
On Thu, 24 Jan 2013 16:17:34 +0100, Ralf Mardorf wrote: So I have to # portsnap fetch update? Yes. If so, wouldn't it cause dependency issues, if I wouldn't update all ports? If you use portmaster to deal with updating your installation, it will take care of the dependencies. However, it might lead to unrelated ports being udated, too. Example: foo-1.0 has vulnerabilities. Updating ports tree. foo-1.1 is the safe version. You're running portmaster foo. foo is going to be be upgraded. foo-1.1 relies on bar-2.5, whereas foo-1.0 relied on bar-2.2. The portmaster run will also upgrade bar. Possible problem: baz-5.0 is installed and has been linked against bar-2.2. baz itself doesn't need updating (not vulnerable). Depending on how baz implements library calling (dependency), it might have stopped working. Solution: Use portmaster -a to check all ports if they need updating. Possible follow-up problem: Ports you don't want to be updated (because you're totally happy with the version you're running) will also be updated by this command. Solution: Be selective in using portmaster and specify exactly the ports you want to upgrade. You can also use SVN to checkout only specific ports, but that leads to an inconsistend ports tree which is not supported to work (even though it _mostly_ will). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Security updates
Hi :) since I updated the ports tree I'm able to fix one issue after the other, e.g. GDM now can start Xfce4. IIUC correctly freebsd-update ( http://www.freebsd.org/cgi/man.cgi?query=freebsd-updatesektion=8 ) will not take care about updates for e.g. Firefox, since I guess it doesn't belong to the base system. Because compiling does take very long, I will not update the whole ports tree that often, I alos like to keep software versions that fit to my needs when ever possible, but I guess without breaking dependencies it theoretically should be possible to update Internet browsers, MUAs etc. only from time to time, for security reasons. Is it possible to update just some Internet stuff? Regards, Ralf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security updates
Hi, On Wed, 23 Jan 2013 12:42:00 +0100 Ralf Mardorf ralf.mard...@alice-dsl.net wrote: RM Because compiling does take very long, I will not update the whole RM ports tree that often, I alos like to keep software versions that RM fit to my needs when ever possible, but I guess without breaking RM dependencies it theoretically should be possible to update Internet RM browsers, MUAs etc. only from time to time, for security reasons. RM RM Is it possible to update just some Internet stuff? yes, using some tools. Take a look at portmaster or portupgrade. Maybe you should install portaudit too. It tells you for which ports security flaws have been found. To update a single port using portmaster you would run # portmaster www/firefox for example. Regards, Jens -- 23. Hartung 2013, 13:02 Homepage : http://www.jan0sch.de The student in question is performing minimally for his peer group and is an emerging underachiever. pgp8UwSjWD1xW.pgp Description: PGP signature
[solved] Security updates
On Wed, 23 Jan 2013 13:04:08 +0100, Jens Jahnke jan0...@gmx.net wrote: [snip] Maybe you should install portaudit too. It tells you for which ports security flaws have been found. To update a single port using portmaster you would run # portmaster www/firefox for example. Hi Jens :) thank you. Regards, Ralf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On 14/01/2013 22:44, n j wrote: One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Sorry. Distributed package building like this is never going to be acceptable. Too much scope for anyone to introduce trojans into packages. Building packages securely is a very big deal, and as recent events have shown, you can't take any chances. Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Tue, Jan 15, 2013 at 10:13 AM, Matthew Seaman matt...@freebsd.orgwrote: On 14/01/2013 22:44, n j wrote: One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Sorry. Distributed package building like this is never going to be acceptable. Too much scope for anyone to introduce trojans into packages. Building packages securely is a very big deal, and as recent events have shown, you can't take any chances. Cheers, Matthew I'd trust this system as far as I trust port maintainers right now. I understand that a port maintainer can submit arbitrary MASTER_SITES in a port Makefile which allows the maintainer to inject malware as they wish. If I trust the port maintainer to make me download and build something coming from e.g. http://samm.kiev.ua or http://danger.rulez.sk (just random picks, no offense intended), then I'd trust that maintainer to upload the package for me or submit a SHA256 hash that the correct package must have. So if somebody else were to build the package, the server would accept the upload only if it matches the hash. Am I overlooking something? Is there some kind of port verification by someone from the team prior to accepting the port submission? -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
n j nin...@gmail.com writes: On Tue, Jan 15, 2013 at 10:13 AM, Matthew Seaman matt...@freebsd.orgwrote: On 14/01/2013 22:44, n j wrote: One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Sorry. Distributed package building like this is never going to be acceptable. Too much scope for anyone to introduce trojans into packages. Building packages securely is a very big deal, and as recent events have shown, you can't take any chances. Cheers, Matthew I'd trust this system as far as I trust port maintainers right now. Well, almost. It would have to be cryptographically validated, which would be a bit of work to get right. I understand that a port maintainer can submit arbitrary MASTER_SITES in a port Makefile which allows the maintainer to inject malware as they wish. If I trust the port maintainer to make me download and build something coming from e.g. http://samm.kiev.ua or http://danger.rulez.sk (just random picks, no offense intended), then I'd trust that maintainer to upload the package for me or submit a SHA256 hash that the correct package must have. So if somebody else were to build the package, the server would accept the upload only if it matches the hash. It's easier to sneak something into a binary than a source code package, although you can never be *completely* sure either way (c.f., Ken Thompson's classic speech Reflections on Trusting Trust). In practice, some amount of subterfuge would be required for the attacker to keep from being found out too soon to do much good; possibly quite a lot of subterfuge, if the port gets run on TrustedBSD systems or other forms of system auditing. Once anyone notices a problem, the port will be shut down quickly. Am I overlooking something? Is there some kind of port verification by someone from the team prior to accepting the port submission? Well, a committer has to check the port in personally, but deliberate sabotage could probably sneak by the committer most of the time. - Lowell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pkgng package repository tracking security updates
Hi, One of my primary concerns when managing a system is its security. In the interest of security, I usually hold to that patch early, patch often. Ports are kept well up-to-date and with portmaster it is not a problem to keep updating the ports. However, as Ivan [1] pointed out on his blog on pkgng: Having source-based ports is all fine and well but all that time compiling ports is subtracted from the time the server(s) would perform some actually useful work. After all, servers exist to do some work, not to be waited on while compiling. The same goes for me: I don't want to wait for ports anymore. I don't want to wait for compilation too, especially on large ports and weak hardware, and do it often to stay on top of security vulnerabilities. For that reason I look forward to binary packages. So, my question regarding pkgng is not really about the tool itself, but rather what will be provided via official repositories. One of the problems with the old pkg_* tools was that packages for a lot of software didn't exist and for those that did exist they weren't updated when vulnerabilities were discovered and patched upstream (and in ports). Is this going to improve with pkgng repositories, will there be a, say, -SECURITY repository that will build the new version of packages at least as often as security vulnerabilities are fixed in ports? [1] http://ivoras.net/blog/tree/2012-08-31.using-pkgng-in-real-life.html Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On 1/14/2013 1:07 PM, n j wrote: Hi, One of my primary concerns when managing a system is its security. In the interest of security, I usually hold to that patch early, patch often. Ports are kept well up-to-date and with portmaster it is not a problem to keep updating the ports. However, as Ivan [1] pointed out on his blog on pkgng: Having source-based ports is all fine and well but all that time compiling ports is subtracted from the time the server(s) would perform some actually useful work. After all, servers exist to do some work, not to be waited on while compiling. The same goes for me: I don't want to wait for ports anymore. I don't want to wait for compilation too, especially on large ports and weak hardware, and do it often to stay on top of security vulnerabilities. For that reason I look forward to binary packages. So, my question regarding pkgng is not really about the tool itself, but rather what will be provided via official repositories. One of the problems with the old pkg_* tools was that packages for a lot of software didn't exist and for those that did exist they weren't updated when vulnerabilities were discovered and patched upstream (and in ports). Is this going to improve with pkgng repositories, will there be a, say, -SECURITY repository that will build the new version of packages at least as often as security vulnerabilities are fixed in ports? [1] http://ivoras.net/blog/tree/2012-08-31.using-pkgng-in-real-life.html Regards, Hi Nino, I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. Regards, Andrei ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On 14/01/2013 13:10, Andrei Brezan wrote: I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. No, that's not *the* goal for pkgng. The goal is to provide a state-of-the-art binary package management system for FreeBSD (and anyone else who would like to use it). For many users this will entail downloading pre-compiled packages from FreeBSD official repositories. But it will be possible for third parties to set up their own repositories, in the same way that eg. the Postgresql project has their own Yum repositories for RH-alikes. It will also be possible for people to compile their own packages either for direct installation, or to create their own private repositories to serve their own networks with their custom configured packages. And, ideally, people will be able to use a *mix* of the above as best suits their needs. Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Mon, Jan 14, 2013 at 2:10 PM, Andrei Brezan andrei...@gmail.com wrote: On 1/14/2013 1:07 PM, n j wrote: Hi, One of my primary concerns when managing a system is its security. In the interest of security, I usually hold to that patch early, patch often. Ports are kept well up-to-date and with portmaster it is not a problem to keep updating the ports. However, as Ivan [1] pointed out on his blog on pkgng: Having source-based ports is all fine and well but all that time compiling ports is subtracted from the time the server(s) would perform some actually useful work. After all, servers exist to do some work, not to be waited on while compiling. The same goes for me: I don't want to wait for ports anymore. I don't want to wait for compilation too, especially on large ports and weak hardware, and do it often to stay on top of security vulnerabilities. For that reason I look forward to binary packages. So, my question regarding pkgng is not really about the tool itself, but rather what will be provided via official repositories. One of the problems with the old pkg_* tools was that packages for a lot of software didn't exist and for those that did exist they weren't updated when vulnerabilities were discovered and patched upstream (and in ports). Is this going to improve with pkgng repositories, will there be a, say, -SECURITY repository that will build the new version of packages at least as often as security vulnerabilities are fixed in ports? [1] http://ivoras.net/blog/tree/**2012-08-31.using-pkgng-in-** real-life.htmlhttp://ivoras.net/blog/tree/2012-08-31.using-pkgng-in-real-life.html Regards, Hi Nino, I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. Regards, Andrei Hi Andrei, ports system is not going away with pkgng and it is still there for everyone who, like yourself, appreciates choosing all configure options and compile it by hand. I know that I'm not the only one who appreciates the practicality of binary packages and that is why I'm wondering if there are any plans for supplying the packages on a more consistent basis. I do understand that the infrastructure is limited and this might be cumbersome, but Linux distributions are doing it and while the same model probably isn't applicable to the smaller FreeBSD community, there are ways around that - building new versions only when (major?) security issues are identified, doing it for a limited scope of (most commonly used?) packages, using some kind of distributed hosting (e.g. torrents with maintainer-uploaded digital signatures) and so on. Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Mon, Jan 14, 2013 at 3:15 PM, Matthew Seaman matt...@freebsd.org wrote: On 14/01/2013 13:10, Andrei Brezan wrote: I thing that it's good to wait for ports to compile and to be able to chose your configure options for the packages you install. It's good to know what options you need and what options you don't and why, that's one of the reasons why i'm using FreeBSD. I feel that the goal for pkgng is that you can install your locally built binary packages in a tinderbox on all your infrastructure so you don't have to compile every port on every server. IIRC it was considered too cumbersome to compile all the ports tree for all the architectures supported and provide the so called official binary repositories. No, that's not *the* goal for pkgng. The goal is to provide a state-of-the-art binary package management system for FreeBSD (and anyone else who would like to use it). For many users this will entail downloading pre-compiled packages from FreeBSD official repositories. But it will be possible for third parties to set up their own repositories, in the same way that eg. the Postgresql project has their own Yum repositories for RH-alikes. It will also be possible for people to compile their own packages either for direct installation, or to create their own private repositories to serve their own networks with their custom configured packages. And, ideally, people will be able to use a *mix* of the above as best suits their needs. Cheers, Matthew Hi Matthew, The point of my question was exactly if it was possible to elaborate on the pre-compiled packages from FreeBSD official repositories part. Would it be possible to have a (security-wise) up-to-date pre-compiled packages in the official repositories? Note, I don't expect an unreasonable effort here - I understand there will always be delays between upstream fix -- ports fix -- up-to-date package and it is acceptable for the binary package to lag a few days behind the port (depending on the availability of package building cluster or maintainer upload). Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On 14/01/2013 14:36, n j wrote: The point of my question was exactly if it was possible to elaborate on the pre-compiled packages from FreeBSD official repositories part. Would it be possible to have a (security-wise) up-to-date pre-compiled packages in the official repositories? Note, I don't expect an unreasonable effort here - I understand there will always be delays between upstream fix -- ports fix -- up-to-date package and it is acceptable for the binary package to lag a few days behind the port (depending on the availability of package building cluster or maintainer upload). Yes, there will be a pkgng package building cluster which will track updates to the ports and provide as up-to-date a collection of packages as possible for at least x86, amd64 on all supporter FreeBSD branches and head. Possibly other architectures as well. However, as all that is still under construction (and construction plans have been heavily revised in the light of the earlier security compromise) I have no good idea of what sort of turn-around will be possible. I expect at least as good as the old pkg build cluster managed and probably better. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matt...@infracaninophile.co.uk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkgng package repository tracking security updates
On Mon, Jan 14, 2013 at 3:43 PM, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 14/01/2013 14:36, n j wrote: The point of my question was exactly if it was possible to elaborate on the pre-compiled packages from FreeBSD official repositories part. Would it be possible to have a (security-wise) up-to-date pre-compiled packages in the official repositories? Note, I don't expect an unreasonable effort here - I understand there will always be delays between upstream fix -- ports fix -- up-to-date package and it is acceptable for the binary package to lag a few days behind the port (depending on the availability of package building cluster or maintainer upload). Yes, there will be a pkgng package building cluster which will track updates to the ports and provide as up-to-date a collection of packages as possible for at least x86, amd64 on all supporter FreeBSD branches and head. Possibly other architectures as well. However, as all that is still under construction (and construction plans have been heavily revised in the light of the earlier security compromise) I have no good idea of what sort of turn-around will be possible. I expect at least as good as the old pkg build cluster managed and probably better. Cheers, Matthew Thanks, that's encouraging news. One thing to think about would be the option of port maintainers uploading the pre-compiled package of the updated port (or if the size of the upload is an issue then just the hash signature of the valid package archive so other people with more bandwidth can upload it) to help the package building cluster (at least for mainstream architectures). The idea behind it being that the port maintainer has to compile the port anyway and pkg create is not a big overhead. The result would be a sort of distributed package building solution. Regards, -- Nino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
security updates
Hello list. I run a daily script via cron @daily rootfreebsd-update cron Today I got this in my mail which usually means that I have to run freebsd-update. Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 8.2-RELEASE from update5.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. The following files will be added as part of updating to 8.2-RELEASE-p6: /usr/src/lib/libc/gen/libc_dlopen.c The following files will be updated as part of updating to 8.2-RELEASE-p6: /boot/kernel/kernel My question is: With uname -a I get FreeBSD 8.2-RELEASE-p6 #1: Thu Jan 5 09:12:38 CET 2012 /usr/obj/usr/src/sys/GENERIC amd64 Do I need to do anything? Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: fbsd 8.2 security updates -p3 -p4
Am 05.10.2011, 07:11 Uhr, schrieb n dhert ndhert...@gmail.com: Less than a week ago, there was security update -p3, tonight already -p4 rolled in.. Does somone know why ? http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc Andreas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
fbsd 8.2 security updates -p3 -p4
Less than a week ago, there was security update -p3, tonight already -p4 rolled in.. Does somone know why ? applying -p3, rebuilding kernel (custom kernel: generic + option QUOTA), and rebooting caused my /var to be filled up to 108% (...) with a huge /var/log/Xorg.0.log file ... has -p4 something to do with with that? did -p3 introduce a bug? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
question about security updates
I was wondering in the case of openssl: http://security.freebsd.org/advisories/FreeBSD-SA-09:08.openssl.asc Corrected: 2009-04-22 14:07:14 UTC (RELENG_7, 7.2-PRERELEASE) 2009-04-22 14:07:14 UTC (RELENG_7_2, 7.2-RC2) 2009-04-22 14:07:14 UTC (RELENG_7_1, 7.1-RELEASE-p5) 2009-04-22 14:07:14 UTC (RELENG_7_0, 7.0-RELEASE-p12) 2009-04-22 14:07:14 UTC (RELENG_6, 6.4-STABLE) 2009-04-22 14:07:14 UTC (RELENG_6_4, 6.4-RELEASE-p4) 2009-04-22 14:07:14 UTC (RELENG_6_3, 6.3-RELEASE-p10) CVE Name: CVE-2009-0590 I see that in release 7_2, that this was corrected. Does this mean that if I were to download the 7.2 iso, that this patch would already be applied to this release? To me, it seems that anything that isn't *-RELEASE-p? would be applied to the distributed iso, but I could be wrong. Thanks, Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: question about security updates
On Wed, Aug 26, 2009 at 09:08:17AM -0700, Jason wrote: I was wondering in the case of openssl: http://security.freebsd.org/advisories/FreeBSD-SA-09:08.openssl.asc Corrected: 2009-04-22 14:07:14 UTC (RELENG_7, 7.2-PRERELEASE) 2009-04-22 14:07:14 UTC (RELENG_7_2, 7.2-RC2) 2009-04-22 14:07:14 UTC (RELENG_7_1, 7.1-RELEASE-p5) 2009-04-22 14:07:14 UTC (RELENG_7_0, 7.0-RELEASE-p12) 2009-04-22 14:07:14 UTC (RELENG_6, 6.4-STABLE) 2009-04-22 14:07:14 UTC (RELENG_6_4, 6.4-RELEASE-p4) 2009-04-22 14:07:14 UTC (RELENG_6_3, 6.3-RELEASE-p10) CVE Name: CVE-2009-0590 I see that in release 7_2, that this was corrected. Does this mean that if I were to download the 7.2 iso, that this patch would already be applied to this release? It would not be in the ISO. That does not get changed after it is released. But if you do an update (CSUP) to RELENG_7_2 eg put the line *default tag=RELENG_7_2 in your supfile, then that will download the security updates. You then need to do the builds as it tells in the handbook. Make sure you read and understand the procedures in the handbook. It will all work just fine. I have done it many times. But, don't try to shortcut or make guesses about the procedures in the handbook. Then you will be off in space and it will leave something screwed up. That is why the handbook was written and one of the things that makes FreeBSD superior. jerry To me, it seems that anything that isn't *-RELEASE-p? would be applied to the distributed iso, but I could be wrong. Thanks, Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
security updates
Hello :-) I'm new to freeBSD, so forgive me if my question is boring :-( I just discover than my computer hosting company allow the use of freeBSD (http://www.ovh.com/fr/particulier/items/distributions/free_bsd.xml?sort=bsdgm=pop) on they cheap (20€/month http://www.ovh.com/fr/particulier/produits/kimsufi08.xml) systems. until now I used on my hosted computer my linux of choice, that is openSUSE, but on a cheap, that is with little power, server, openSUSE is overkill so I plan to use freBSD soon. However, as said, I don't now yet freeBSD. I have some sort of experience of openBSD, but only on old fashioned computer (SS1, SS20...) but I think there will not be major difference and I plan anyway to install freebsd on virtualbox first to test it. I'm an old linux hacker and compiling is not really a problem, even if I feel better without :-) so then, my question: what about security updates? with openSUSE I have an automatic update. For freeBSD, I didn't find anything on this archive list and the google search sent me to old doc (2003) http://www.daemonology.net/freebsd-update/binup.html where is freeBSD in this respect? thanks jdd -- Jean-Daniel Dodin Président du CULTe www.culte.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
jdd sur free wrote: Hello :-) I'm new to freeBSD, so forgive me if my question is boring :-( I just discover than my computer hosting company allow the use of freeBSD (http://www.ovh.com/fr/particulier/items/distributions/free_bsd.xml?sort=bsdgm=pop) on they cheap (20€/month http://www.ovh.com/fr/particulier/produits/kimsufi08.xml) systems. until now I used on my hosted computer my linux of choice, that is openSUSE, but on a cheap, that is with little power, server, openSUSE is overkill so I plan to use freBSD soon. However, as said, I don't now yet freeBSD. I have some sort of experience of openBSD, but only on old fashioned computer (SS1, SS20...) but I think there will not be major difference and I plan anyway to install freebsd on virtualbox first to test it. I'm an old linux hacker and compiling is not really a problem, even if I feel better without :-) so then, my question: what about security updates? with openSUSE I have an automatic update. For freeBSD, I didn't find anything on this archive list and the google search sent me to old doc (2003) http://www.daemonology.net/freebsd-update/binup.html where is freeBSD in this respect? thanks jdd The FreeBSD base system gets security updates through freebsd-update, very easily: freebsd-update fetch freebsd-update update (assuming you install a -RELEASE version) For third party applications (what you install from ports or packages) you can use a variety of utilities to update / check them: ports-mgmt/portaudit will warn you when an installed application has a known security problem ports-mgmt/portupgrade will allow you to upgrade any (or all) applications to their latest versions. There are quite a few more programs that deal with application install/upgrade, I suggest you have a look at the ports-mgmt directory ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
On Fri, Aug 15, 2008 at 12:39 PM, jdd sur free [EMAIL PROTECTED] wrote: Hello :-) so then, my question: what about security updates? with openSUSE I have an automatic update. For freeBSD, I didn't find anything on this archive list and the google search sent me to old doc (2003) http://www.daemonology.net/freebsd-update/binup.html where is freeBSD in this respect? thanks jdd freebsd-update is now included in the base system itself, so you can use it without any problems for all updates. You can still compile the updates though. Amitabh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
On Fri, 15 Aug 2008 09:09:01 +0200 jdd sur free [EMAIL PROTECTED] wrote: Hello :-) I'm new to freeBSD, so forgive me if my question is boring :-( [...] Welcome jjd! so then, my question: what about security updates? with openSUSE I have an automatic update. For freeBSD, I didn't find anything on this archive list and the google search sent me to old doc (2003) http://www.daemonology.net/freebsd-update/binup.html Kernel + Base : If you use the GENERIC kernel, freebsd-update will work great. It is part of the 7.x series, man freebsd-update :) in pre-7 versions, i think you could install it from ports. If you are past GENERIC, then you should read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cutting-edge.html Ports : you should read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html and http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/portsnap.html Good luck, b _ {Beto|Norberto|Numard} Meijome If you don't have the time to do it right, where are you going to find the time to do it over? I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
Manolis Kiagias a écrit : The FreeBSD base system gets security updates through freebsd-update, very easily: freebsd-update fetch freebsd-update update (assuming you install a -RELEASE version) of course, for such use I will take the or stable version :-) I was sure it was easy :-) thanks jdd -- http://www.dodin.net http://valerie.dodin.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
of course, for such use I will take the or stable version :-) I was sure it was easy :-) thanks jdd Just to clarify, X-STABLE does not indicate end-user stability. It indicates the ABI is (generally) stable (ABI-compatibility is maintained within a branch). There are exceptions, but this generally holds true. That said, -RELEASE is a better idea for a production system, unless you have some dire need for a feature/enhancement in -STABLE. You can read more about the FreeBSD release engineering process here: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/releng/index.html Regards, Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Automatic Script for /usr/src security updates
Is there an application that can be triggered by security advisory e-mails, or the like, to automatically do cvsup and rebuild the system? I know that would probably be a little difficult with the mergemaster command. Thanks Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Automatic Script for /usr/src security updates
Chris Maness wrote: Is there an application that can be triggered by security advisory e-mails, or the like, to automatically do cvsup and rebuild the system? I know that would probably be a little difficult with the mergemaster command. I know that someone has written a script which parses security advisories; but it sounds to me like you're really looking for FreeBSD Update. Colin Percival ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: UPDATING and security updates.
jimmie james [EMAIL PROTECTED] writes: Curious why there's no mention of any security issues in /usr/src/UPDATING on 4.11-STABLE systems, but browsing the cvs-src, there's notes in RELENG_4_10, RELENG_4_11, Branch: RELENG_5_3? Wouldn't it make sense to note it in all affected releases? I don't think so. It's already mentioned in a lot of places, and UPDATING is imposing enough as it is; I think that keeping UPDATING just for tracking issues you need to bear in mind for actually *doing* the update of your system. Yes, I'm subscribed to the relevent lists, however, having an offical tracking of these issues, would help in knowing what patch was applied when, and the reason. Absolutely. That place is: http://www.freebsd.org/security/#adv ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
UPDATING and security updates.
Curious why there's no mention of any security issues in /usr/src/UPDATING on 4.11-STABLE systems, but browsing the cvs-src, there's notes in RELENG_4_10, RELENG_4_11, Branch: RELENG_5_3? Wouldn't it make sense to note it in all affected releases? Yes, I'm subscribed to the relevent lists, however, having an offical tracking of these issues, would help in knowing what patch was applied when, and the reason. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
security updates
I got this message today from cron, apparently my security update failed. Any Idea how to resolve this. I am also get a similar message on a 5.3 box. Fetching updates signature... fetch: http://update.daemonology.net/i386/4.9/updates.sig: Not FoundError fetching updates Jeff Maxwell POS Department Manager Uni-Marts, LLC Voice 570-829-0888 Ext. 421 Fax 570-829-4390 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: security updates
I got this message today from cron, apparently my security update failed. Any Idea how to resolve this. I am also get a similar message on a 5.3 box. Fetching updates signature... fetch: http://update.daemonology.net/i386/4.9/updates.sig: Not FoundError fetching updates Jeff Maxwell POS Department Manager Uni-Marts, LLC Voice 570-829-0888 Ext. 421 Fax 570-829-4390 From their main site (http://update.daemonology.net/): Due to hardware failures, update.daemonology.net is currently unavailable. FreeBSD Update will be back online sometime soon Kind Regards, Sander Holthaus ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
Jeff Maxwell wrote: I got this message today from cron, apparently my security update failed. Any Idea how to resolve this. I am also get a similar message on a 5.3 box. Fetching updates signature... fetch: http://update.daemonology.net/i386/4.9/updates.sig: Not FoundError fetching updates It appears that you are running a custom update script, would help if you published it. And try run it by hand, it should be located in /etc/periodic/security or similar. Then send whatever debug info you can deduce from the output. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
Jeff Maxwell wrote: I got this message today from cron, apparently my security update failed. Any Idea how to resolve this. I am also get a similar message on a 5.3 box. Fetching updates signature... fetch: http://update.daemonology.net/i386/4.9/updates.sig: Not FoundError fetching updates Jeff Maxwell Looks like Colin is having some troubles with his servers or hosting company: %lynx www.daemonology.net Due to hardware failures, daemonology.net is currently unavailable. Portsnap users: Assuming the dns magic works, portsnap should start operating correctly soon. FreeBSD Update users: I need to upload a bunch of files to the location where I'm temporarily hosting the update.daemonology.net domain -- this should be done on Wednesday or Thursday. Everybody else looking for content here: I'm currently looking for a new permanent home for this site... recommendations for *low cost* dedicated servers (or even better, a donated server) are welcome. Contact me at my freebsd.org address -- daemonology.net email is currently broken. Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
What are security updates? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: security updates
AA What are security updates? AA ___ AA freebsd-questions@freebsd.org mailing list AA http://lists.freebsd.org/mailman/listinfo/freebsd-questions AA To unsubscribe, send any mail to [EMAIL PROTECTED] - How does it sound ;) If a bug that affects security is found, an update to fix is produced. In my definition this counts as security update. Hexren ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
Hexren writes: How does it sound ;) If a bug that affects security is found, an update to fix is produced. In my definition this counts as security update. Fine. So what's the connection to cron? -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security updates
I run freebsd-update as a cron job to check for security updates daily. At 07:16 PM 2/9/05 +0100, you wrote: Hexren writes: How does it sound ;) If a bug that affects security is found, an update to fix is produced. In my definition this counts as security update. Fine. So what's the connection to cron? -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Jeff Maxwell POS Department Manager Uni-Marts, LLC Voice 570-829-0888 Ext. 421 Fax 570-829-4390 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
where to find security updates?
Hi all, I am somewhat new to FreeBSD, and so not 100% used to this ports and portaudit system. My daily sec. output says, that my installed mod_php4-4.3.8_2 has two vulnerabilities. So I did an cvsup /root/ports-supfile and a make search=mod_php4 afterwards. But I can only see mod_php4-4.3.6 now, which does not look like an update to mod_php4-4.3.8_2. Now my question is: How should/can I update mod_php4, if there is no update available? Greetings and TIA, Matthias -- Homer: No TV and No Beer Make Homer ... something something. Marge: Go crazy? Homer: Don't mind if I do! Treehouse of Horror V ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where to find security updates?
On Thu, Oct 14, 2004 at 01:57:35PM +0200, Matthias F. Brandstetter wrote: Hi all, I am somewhat new to FreeBSD, and so not 100% used to this ports and portaudit system. My daily sec. output says, that my installed mod_php4-4.3.8_2 has two vulnerabilities. So I did an cvsup /root/ports-supfile and a make search=mod_php4 afterwards. But I can only see mod_php4-4.3.6 now, which does not look like an update to mod_php4-4.3.8_2. cd /usr/ports make fetchindex ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where to find security updates?
On Thu, Oct 14, 2004 at 01:57:35PM +0200, Matthias F. Brandstetter wrote: Now my question is: How should/can I update mod_php4, if there is no update available? portupgrade -all wil upgrade all port installed on your system ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where to find security updates?
On Thu, Oct 14, 2004 at 01:57:35PM +0200, Matthias F. Brandstetter wrote: Hi all, I am somewhat new to FreeBSD, and so not 100% used to this ports and portaudit system. My daily sec. output says, that my installed mod_php4-4.3.8_2 has two vulnerabilities. So I did an cvsup /root/ports-supfile and a make search=mod_php4 afterwards. But I can only see mod_php4-4.3.6 now, which does not look like an update to mod_php4-4.3.8_2. Now my question is: How should/can I update mod_php4, if there is no update available? Greetings and TIA, Matthias for portupgrade utility you may install port /usr/ports/sysutils/portupgrade You can use this tool for upgrade one package for example: portupgrade mod_php4-4.3.8_2 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where to find security updates?
-- quoting Alexandr -- My daily sec. output says, that my installed mod_php4-4.3.8_2 has two vulnerabilities. So I did an cvsup /root/ports-supfile and a make search=mod_php4 afterwards. But I can only see mod_php4-4.3.6 now, which does not look like an update to mod_php4-4.3.8_2. cd /usr/ports make fetchindex that was is, thx a log! Greetings, Matthias -- Maybe I should just cut my losses, give up on Lisa, and make a fresh start with Maggie. -- Homer Simpson Lisa's Pony ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where to find security updates?
On Thu, Oct 14, 2004 at 01:57:35PM +0200, Matthias F. Brandstetter wrote: Hi all, I am somewhat new to FreeBSD, and so not 100% used to this ports and portaudit system. My daily sec. output says, that my installed mod_php4-4.3.8_2 has two vulnerabilities. So I did an cvsup /root/ports-supfile and a make search=mod_php4 afterwards. But I can only see mod_php4-4.3.6 now, which does not look like an update to mod_php4-4.3.8_2. You go wrong here. There doesn't exist a command 'make search=...' it should be 'make search name=mod_php4'. Because of this you have compiled (but not installed) all recursive ports. To fix this do: make clean from /usr/ports (this takes a while) The most recent for me is: mod_php4-4.3.4_7,1 If you run 'pkg_version | grep php' then you can see if the port is newer than the one you installed. A means that this is the case. Now my question is: How should/can I update mod_php4, if there is no update available? First install portupgrade: # cd /usr/ports/sysutils/portupgrade/ # make install make clean Then do: # rehash # portupgrade -fR mod_php4 The R also compiles all ports that php4 uses and the f force a recompile of ports that are of the current version. Its not allways required but I've had some trouble with php. This solved the problem for me. -- Alex Please copy the original recipients, otherwise I may not read your reply. WWW: http://www.kruijff.org/alex/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: where to find security updates?
hermm. you might wanna read /usr/ports/UPDATING before you do that. On Thursday 14 October 2004 17:07, Alexandr wrote: On Thu, Oct 14, 2004 at 01:57:35PM +0200, Matthias F. Brandstetter wrote: Now my question is: How should/can I update mod_php4, if there is no update available? portupgrade -all wil upgrade all port installed on your system ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Alternatives to CVSUP for Security Updates and Errata
Hello. I am a systems adminstrator for large multi-national firm, consisting of approximately 90,000 employees. I currently manage several FreeBSD 4.9 and 4.10 servers that serve as high volume web servers to several of our employees worldwide. As you can imagine, in firm the size of ours, various teams are reponsible for various aspects of our technology infrastructure. With that said, I have requested to have our security team create a policy that will allow traffic to and from my servers via port 5999 for CVSup, so that I could synch my source. My request has been flatly refused, due to the fact that FreeBSD is not a firm-standard operating system. The security team will not open up the firewalls for this purpose. CVSup is not an option. My question is what would be the best possible method of keeping up-to-date with security patches and errata? I have tried Colin Percival's FreeBSD-Update in the past, but I'm not sure that this is the best method, since I am using some SMP custom kernels. I've also heard that CTM is a very error-plagued and archaic method. Please advise. Thank you. - Post your free ad now! Yahoo! Canada Personals ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Alternatives to CVSUP for Security Updates and Errata
Kenneth A. Bond wrote: [Has no way of upgrading sources via CVSup b/c of firewalls] If your security guys do not block SSH traffic, you could check out your sources using CVS over ssh. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/anoncvs.html for some mirrors which allow ssh. Regards, Phil. P.S.: Oh, and wrap your lines... -- Did you know... If you play a Windows 2000 CD backwards, you hear satanic messages, but what's worse is when you play it forward ...it installs windows 2000 -- Alfred Perlstein on [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Alternatives to CVSUP for Security Updates and Errata
In the last episode (Aug 26), Kenneth A. Bond said: I currently manage several FreeBSD 4.9 and 4.10 servers that serve as high volume web servers to several of our employees worldwide. As you can imagine, in firm the size of ours, various teams are reponsible for various aspects of our technology infrastructure. With that said, I have requested to have our security team create a policy that will allow traffic to and from my servers via port 5999 for CVSup, so that I could synch my source. My request has been flatly refused, due to the fact that FreeBSD is not a firm-standard operating system. The security team will not open up the firewalls for this purpose. CVSup is not an option. You don't need to allow incoming connections to port 5999; cvsup by default will multiplex traffic over the one outgoing connection. You can also connect through a SOCKS proxy server (but not an HTTP proxy) if your company has one. If your firewall blocks all outgoing TCP connects, then you are probably stuck. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Updates and Patching Two Choices?
Giorgos Keramidas wrote: On 2004-03-29 15:07, Charles Swiger [EMAIL PROTECTED] wrote: On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: [ ... ] If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Generally one can ignore doing the mergemaster simply for a security patch. Unless, of course, the security patch fixes problems in /etc files that mergemaster *must* update. It's not very difficult to run mergemaster. I wouldn't recomment avoiding it altogether. [ ... ] Oh, I agree with you: I think mergemaster is a useful tool, and I don't think it's very difficult to use. Reasonable people disagree, however. In particular, people who aren't familiar with diff generally find mergemaster to be incomprehensible. :-) -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Updates and Patching Two Choices?
* Chuck Swiger [EMAIL PROTECTED] [2004-03-30 11:14]: Giorgos Keramidas wrote: On 2004-03-29 15:07, Charles Swiger [EMAIL PROTECTED] wrote: On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: [ ... ] If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Generally one can ignore doing the mergemaster simply for a security patch. Unless, of course, the security patch fixes problems in /etc files that mergemaster *must* update. It's not very difficult to run mergemaster. I wouldn't recomment avoiding it altogether. [ ... ] Oh, I agree with you: I think mergemaster is a useful tool, and I don't think it's very difficult to use. Reasonable people disagree, however. In particular, people who aren't familiar with diff generally find mergemaster to be incomprehensible. :-) From a [relative] newbie; it's only incomprehensible the first time or two. -- Joshua A woman should have compassion. -- Kirk, Catspaw, stardate 3018.2 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security Updates and Patching Two Choices?
I would like to stay patched with the latest security advisories. However usually I wait until the next release iso becomes available and do a fresh install that includes all the known exploites. My reason behind this is the makeworld, CVSup, and mergemaster is very time consuming/complicated. Mergemaster especially when I'm merging /etc files that I have no clue what they do. I also don't want all sources compiled on my system. I like a minimized OS. I don't want to build all sources when I just need these on my system (bin, man, and crypto). The same selection I use from a new install from /stand/sysinstall. Is that possible? However in the security advisories the second option is to download this file and patch the existing source and do a makeworld here is an excerpt of the latest advisory --- a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/openssl.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:05/ openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system as described in URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ makeworld.html . --- It seem the makeworld process is the only way to keep the system patched. If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Thanks in advance Sean Murphy [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Updates and Patching Two Choices?
On Monday 29 March 2004 01:28 pm, Sean Murphy wrote: I would like to stay patched with the latest security advisories. However usually I wait until the next release iso becomes available and do a fresh install that includes all the known exploites. My reason behind this is the makeworld, CVSup, and mergemaster is very time consuming/complicated. Mergemaster especially when I'm merging /etc files that I have no clue what they do. I also don't want all sources compiled on my system. I like a minimized OS. I don't want to build all sources when I just need these on my system (bin, man, and crypto). The same selection I use from a new install from /stand/sysinstall. Is that possible? Then perhaps freebsd-update is for you? (/usr/ports/security/freebsd-update) From the file pkg-descr: more pkg-descr This is the client half of the FreeBSD Update system; it fetches and applies binary security updates. WWW: http://www.daemonology.net/freebsd-update/ -- Best regards, Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Updates and Patching Two Choices?
On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: I don't want to build all sources when I just need these on my system (bin, man, and crypto). The same selection I use from a new install from /stand/sysinstall. Is that possible? If you look at /etc/default/make.conf for a bunch of components starting with NO_, you can set those to get something close to what you've asked for. It seem the makeworld process is the only way to keep the system patched. Someone (Colin Percival?) has a binary updating system available for FreeBSD which might be easier for you to use. If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Generally one can ignore doing the mergemaster simply for a security patch. Yes, you can use CVSup to update your local sources with the fix instead of applying a patch by hand. Using a tag of RELENG_4 (aka STABLE) or RELENG_4_9 (aka security branch of 4.9) should be what you want. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Updates and Patching Two Choices?
On 2004-03-29 15:07, Charles Swiger [EMAIL PROTECTED] wrote: On Mar 29, 2004, at 2:28 PM, Sean Murphy wrote: I don't want to build all sources when I just need these on my system (bin, man, and crypto). The same selection I use from a new install from /stand/sysinstall. Is that possible? If you look at /etc/default/make.conf for a bunch of components starting with NO_, you can set those to get something close to what you've asked for. Good idea :-) If a tag just the 4_9 Release in the CVSupfile can i just ignore the mergemaster? also can I just CVSup the sources and build the ones I want? (see above) Generally one can ignore doing the mergemaster simply for a security patch. Unless, of course, the security patch fixes problems in /etc files that mergemaster *must* update. It's not very difficult to run mergemaster. I wouldn't recomment avoiding it altogether. Instead, I'd probably recommend one of two things, or both at the same time: a. Read the available documentation about /etc files. You don't have to learn all the (admittedly, mostly boring) details about every single file there is. Just skim through the manpages to get a general idea of what purpose each file serves. b. Install (almost blindly) all the files that mergemaster wants to update, unless you are absolutely certain you have made manually some changes to the installed version. c. Merging the files which contain local changes is easy enough, as long as you spend a few moments to read the sdiff(1) manpage. This is the tool mergemaster uses to merge the files it updates. Please, do not skip running mergemaster :-) - Giorgos ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ports security updates branch
Hi :) This might be a dumb question, but I was wondering if a king of stable branch existed for the ports tree. Under OpenBSD I think you can follow the ports tree stable branch so you only get security updates for your ports. This does not seem possible under FreeBSD, if I understood correctly only the current branch (tag=.) is used for ports; at least this is what I always used... Now, here are my questions about that: - is there a way to only get the security updates for ports ? (are security updates for ports included in the FreeBSD security advisories) - when upgrading to a new release, can I use the release branch for ports ? The reason I'm asking this is that I don't want to update my ports everytime a new version comes out... except if it has a security issue. Thanks for reading me. Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security updates branch
On Fri, Oct 17, 2003 at 09:47:40AM +0200, Antoine Jacoutot wrote: Hi :) This might be a dumb question, but I was wondering if a king of stable branch existed for the ports tree. Under OpenBSD I think you can follow the ports tree stable branch so you only get security updates for your ports. This does not seem possible under FreeBSD, if I understood correctly only the current branch (tag=.) is used for ports; at least this is what I always used... Now, here are my questions about that: - is there a way to only get the security updates for ports ? (are security updates for ports included in the FreeBSD security advisories) - when upgrading to a new release, can I use the release branch for ports ? The reason I'm asking this is that I don't want to update my ports everytime a new version comes out... except if it has a security issue. FreeBSD doesn't provide this. Since our ports collection is about 5 times the size of OpenBSD's it's too much work. Kris pgp0.pgp Description: PGP signature
Re: ports security updates branch
Kris Kennaway wrote: The reason I'm asking this is that I don't want to update my ports everytime a new version comes out... except if it has a security issue. FreeBSD doesn't provide this. Since our ports collection is about 5 times the size of OpenBSD's it's too much work. Oh I know that :) Ok, I can totally understand why it does not exist then. However, is there a way to know if one of my installed packages has a security alert ? I guess not... but we never know... Thanks for the reply by the way. Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security updates branch
On Fri, Oct 17, 2003 at 01:22:05PM +0200, Antoine Jacoutot wrote: Kris Kennaway wrote: The reason I'm asking this is that I don't want to update my ports everytime a new version comes out... except if it has a security issue. FreeBSD doesn't provide this. Since our ports collection is about 5 times the size of OpenBSD's it's too much work. Oh I know that :) Ok, I can totally understand why it does not exist then. However, is there a way to know if one of my installed packages has a security alert ? I guess not... but we never know... Subscribe to [EMAIL PROTECTED] -- FreeBSD security notices cover problems with ported applications, as do security alerts when the software in question appears in both ports and the base system. Security notices tend to come out fairly infrequently and gather together notices about several different problems. Other ways of finding out about potential problems are to subscribe to such mailing lists as Bugtraq (see http://www.securityfocus.com/) and development mailing lists for individual software packages. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: ports security updates branch
Matthew Seaman wrote: However, is there a way to know if one of my installed packages has a security alert ? I guess not... but we never know... Subscribe to [EMAIL PROTECTED] -- FreeBSD security notices cover problems with ported applications, as do security alerts when the software in question appears in both ports and the base system. I am subscribed :) Whenever I use an OS in production, this is the first thing I do... Security notices tend to come out fairly infrequently Yes, it seemed like it. Ok then, I guess I'll subscribe to one og the security lists on the Net. The thing is that it is again a bit more work since I have a lot of servers to admin and they don't all have the same softwares installed. Thanks. Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security updates branch
I'd recommend signing up to www.zone-h.org's daily advisory report doesn't solve the problem for you, but has most advisories in a single daily email, which you can eye ball or use mail filters to high light ones that apply to you. - Original Message - From: Antoine Jacoutot [EMAIL PROTECTED] To: Matthew Seaman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Kris Kennaway [EMAIL PROTECTED] Sent: Friday, October 17, 2003 2:35 PM Subject: Re: ports security updates branch Matthew Seaman wrote: However, is there a way to know if one of my installed packages has a security alert ? I guess not... but we never know... Subscribe to [EMAIL PROTECTED] -- FreeBSD security notices cover problems with ported applications, as do security alerts when the software in question appears in both ports and the base system. I am subscribed :) Whenever I use an OS in production, this is the first thing I do... Security notices tend to come out fairly infrequently Yes, it seemed like it. Ok then, I guess I'll subscribe to one og the security lists on the Net. The thing is that it is again a bit more work since I have a lot of servers to admin and they don't all have the same softwares installed. Thanks. Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security updates branch
Selon Simon Gray [EMAIL PROTECTED]: I'd recommend signing up to www.zone-h.org's daily advisory report doesn't solve the problem for you, but has most advisories in a single daily email, which you can eye ball or use mail filters to high light ones that apply to you. That is a very good idea. Thank you very much. Regards. Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]