Is it necessary to recompile OS to apply security patch?

2008-07-29 Thread skogzort 
Hello,
I know nothing/very little about OpenBSD or UNIX. I have been tasked with
updating our OpenBSD DNS server with a security fix (Vulnerability Note
VU#800113- Multiple DNS implementations vulnerable to cache poisoning).
 
In order to do this it appears that I have to download the source code
re-compile the entire OS. Recompiling the OS seems to involve a lot of steps.
Before I continue to read through them all, I just want to confirm that it is
actually necessary to do all of this, simply to apply a security patch:
 
Down load the tree..
Pre load the tree..
Build the Kernel..
Build the userland..
Etc.
 
The only thing we use the server for is DNS. I dont know what flavor we are
running, since its on a production server I assume it will be * release or *
stable, either way from what Ive read so far it looks like in order to apply
this security patch I will have to update it to * stable, which seems to
require that the entire OS be recompiled. Is this correct?
 
Is it true that the only way to apply this patch is to recompile the entire
OS, and go through all the steps above? I dont mind doing all this since it
will give me a chance to learn, its just that the more steps I have to take,
the more chances there are for mistakes. I want to be sure that the way I plan
to do the update is the simplest. Im only familiar with Windows, where you
just push a button to apply a security patch and you dont even have to reboot
the server, so I was thinking that I may be misunderstanding what Im
reading.
 
Thanks very much for your time and any info
 
Kyle

Re: Is it necessary to recompile OS to apply security patch?

2008-07-29 Thread Brynet 
Assume this production server is running one of the supported
releases, 4.2 or 4.3, you can obtain the latest patch via the errata
page.

http://openbsd.org/errata43.html

For 4.2 it's errata #013, for 4.3 it's #004... if you run an earlier
version, manually merging the patch may be required.

From the top of the 4.3 patch file:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch

Apply by doing:
cd /usr/src
patch -p0  004_bind.patch

Then rebuild and install bind:
cd usr.sbin/bind
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper
make -f Makefile.bsd-wrapper install

You'll only need to recompile then restart BIND, updating to -STABLE
and compiling the kernel isn't required..

Now, your server may not have the source in /usr/src, you can either
obtain it from the release CD-ROM or a local HTTP/FTP mirror..

src.tar.gz is the userland.
sys.tar.gz is the kernel.

Locate a mirror here: http://www.openbsd.org/ftp.html

Take care, feel free to reply to the list for further assistance...

Re: Is it necessary to recompile OS to apply security patch?

2008-07-29 Thread Pete Vickers 

Hi,

Assuming the box is only a DNS server, then the simplest  easiest (in
my option) is to take a copy of the DNS related files:
- /etc/rc.conf.local
- /var/named/*
- noting also IP address, hostname etc etc

and then reinstall the o/s from a recent snapshot (downloaded here
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/
 or mirror), which has all the patches pre-applied. Then restore the
above files. job done.

if you're paranoid and unexperienced in unix, then grab a spare
machine to do a dry run on that.

/Pete



On 29 Jul 2008, at 18:16, skogzort wrote:


Hello,
I know nothing/very little about OpenBSD or UNIX. I have been tasked
with
updating our OpenBSD DNS server with a security fix (Vulnerability
Note
VU#800113- Multiple DNS implementations vulnerable to cache
poisoning).

In order to do this it appears that I have to download the source code
re-compile the entire OS. Recompiling the OS seems to involve a lot
of steps.
Before I continue to read through them all, I just want to confirm
that it is
actually necessary to do all of this, simply to apply a security
patch:

Down load the tree..
Pre load the tree..
Build the Kernel..
Build the userland..
Etc.

The only thing we use the server for is DNS. I dont know what
flavor we are
running, since its on a production server I assume it will be *
release or *
stable, either way from what Ive read so far it looks like in order
to apply
this security patch I will have to update it to * stable, which
seems to
require that the entire OS be recompiled. Is this correct?

Is it true that the only way to apply this patch is to recompile the
entire
OS, and go through all the steps above? I dont mind doing all this
since it
will give me a chance to learn, its just that the more steps I have
to take,
the more chances there are for mistakes. I want to be sure that the
way I plan
to do the update is the simplest. Im only familiar with Windows,
where you
just push a button to apply a security patch and you dont even have
to reboot
the server, so I was thinking that I may be misunderstanding what Im
reading.

Thanks very much for your time and any info

Kyle