Re: Is it necessary to recompile just to apply a security patch?
On Wed, Jul 30, 2008 at 5:25 AM, Ingo Schwarze [EMAIL PROTECTED] wrote: Hi skogzort, Nick Guenther wrote on Tue, Jul 29, 2008 at 01:05:52PM -0400: On Tue, Jul 29, 2008 at 11:41 AM, skogzort [EMAIL PROTECTED] wrote: I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). That doesn't sound all too well. You have an OpenBSD server, but you have nobody knowing more than very little about UNIX? UNIX is easier to administer than Windows, but some learning will be required... Quite probably, your server might be terribly out of date. OpenBSD servers ought to be updated at least once a year. Please look at the first line of the output of dmesg(8). If the version number is lower than OpenBSD 4.2, you should upgrade the base system before applying patches. In any case, you should establish a process for regular updates of the server. The best times to update are in May and November, just after the -stable releases. In my experience, updating twice a year is easier and less risky than just once: You get used to it. Regularly ordering the CDs and just upgrading from CD is the most convenient way to go. If your task is to maintain that server, carefully read http://www.openbsd.org/cgi-bin/cvsweb/src/etc/root/root.mail?rev=HEAD Have a quick look at the resources referenced there, just to get an impression what is available. The man pages, the FAQ and afterboot(8) are particularly useful. In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Don't compile the whole system from source unless you are actively hacking on the base system (which clearly you aren't) or unless you want to track -current using a single build for multiple servers. As others told you, each errata patch contains instructions what exactly must be rebuilt, and how. you dont even have to reboot the server, That's indeed true in the present case, yes. After patching named, you must restart named, but rebooting would be useless. Of course, kernel patches require rebooting - which applies to Windows machines as well, by the way. ;-) Nick wrote: OpenBSD is mostly designed as a monolithic kernel. Please stop spreading misleading advice. This has nothing to do with the kernel. (Hopefully, skogzort didn't start building kernels yet.) Yours, Ingo -- Ingo Schwarze [EMAIL PROTECTED] usta.de / studis.de system operation *** Can we get a bind9 kernel module for OpenBSD any time soon? *** And I just learn that ISC was releasing -p2 patches for BIND to address stability and performance issues: http://isc.sans.org/diary.html?storyid=4816 -zamri-
Re: Is it necessary to recompile just to apply a security patch?
On Tue, Jul 29, 2008 at 10:57:19PM -0500, John Brooks wrote: | how about this: | | uname -a | | or this: | | head -1 /etc/motd For completeness' sake : [EMAIL PROTECTED] $ sysctl kern.version kern.version=OpenBSD 4.4-beta (GENERIC) #977: Mon Jul 14 20:20:57 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Is it necessary to recompile just to apply a security patch?
Is it necessary to recompile just to apply a security patch? Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what Flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable. Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle
Re: Is it necessary to recompile just to apply a security patch?
On Tue, Jul 29, 2008 at 11:41 AM, skogzort [EMAIL PROTECTED] wrote: Is it necessary to recompile just to apply a security patch? Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what Flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable. Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. OpenBSD is mostly designed as a monolithic kernel. It's a very small kernel, only a couple of megs large, but it is one single program so yes, to apply a security patch to the kernel you must recompile the entire kernel. You may be able to get away without recompiling userland if the patch is only affecting kernel internals, but just to be safe you probably should do userland too. It's not actually that hard to recompile, the instructions are very clear -- but I do know the feeling that you have, I only finally worked myself up to compiling kernels. Just take the leap of faith and in a few hours you'll have a new secure system. Hmm, though if you don't know much about Unix, make sure to take a backup of /etc first, though, just in case you trash your DNS server. -Nick
Re: Is it necessary to recompile just to apply a security patch?
skogzort wrote: Is it necessary to recompile just to apply a security patch? Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what Flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable. Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle Hi Kyle, the header of the patch available at ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch explains: Apply by doing: cd /usr/src patch -p0 004_bind.patch Then rebuild and install bind: cd usr.sbin/bind make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install that's all you need to do. HTH, Heinrich
Re: Is it necessary to recompile just to apply a security patch?
On Tue, Jul 29, 2008 at 08:41:36AM -0700, skogzort wrote: Is it necessary to recompile just to apply a security patch? Of course! ;) In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Do you use the current 4.3 or do you use a CVS snapshot ? If you use 4.3 you _have_ to download and install src.tar.gz and install it. Now download only the bind patch for 4.3 and apply the patch and rebuild and reinstall named. (Don't forget to restart named ;) ) If you use a older version check the appropriate errata page instead ;) Its OpenBSD. Its soo easy :P HTH, Andreas. -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Is it necessary to recompile just to apply a security patch?
On Tue, Jul 29, 2008 at 11:41 PM, skogzort [EMAIL PROTECTED] wrote: Is it necessary to recompile just to apply a security patch? Hello, I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Before I continue to read through them all, I just want to confirm that it is actually necessary to do all of this, simply to apply a security patch: Down load the tree.. Pre load the tree.. Build the Kernel.. Build the userland.. Etc. The only thing we use the server for is DNS. I dont know what Flavor we are running, since its on a production server I assume it will be * release or * stable, either way from what Ive read so far it looks like in order to apply this security patch I will have to update it to * stable. Is it true that the only way to apply this patch is to recompile the entire OS, and go through all the steps above? Im only familiar with Windows, where you just push a button to apply a security patch and you dont even have to reboot the server, so I was thinking that I may be misunderstanding what Im reading. Thanks very much for your time and any info Kyle The first step is you need to identify which version of OpenBSD that you're running right now, and apply suitable patches to your system. For latest DNS patches, OpenBSD developers were releasing two version of security fixes for 4.2 and 4.3. Just follow the given instruction at the top/head of every patch. http://www.openbsd.org/errata43.html ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch http://www.openbsd.org/errata42.html ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/013_bind.patch And you may check archive, couple of days ago, iirc someone reported they were successfully updating their DNS in 4.1 by using patch from 4.2. And finally, probably you need to read about this too (not sure either the above patches will affect DNS performance in OpenBSD, but someone just reporting it about some issue with Ironport, check archive): http://marc.info/?l=bind-usersm=121726908015389w=2 -- Thank you. Zamri Besar
Re: Is it necessary to recompile just to apply a security patch?
Hi skogzort, Nick Guenther wrote on Tue, Jul 29, 2008 at 01:05:52PM -0400: On Tue, Jul 29, 2008 at 11:41 AM, skogzort [EMAIL PROTECTED] wrote: I know nothing/very little about OpenBSD or UNIX. I have been tasked with updating our OpenBSD DNS server with a security fix (Vulnerability Note VU#800113- Multiple DNS implementations vulnerable to cache poisoning). That doesn't sound all too well. You have an OpenBSD server, but you have nobody knowing more than very little about UNIX? UNIX is easier to administer than Windows, but some learning will be required... Quite probably, your server might be terribly out of date. OpenBSD servers ought to be updated at least once a year. Please look at the first line of the output of dmesg(8). If the version number is lower than OpenBSD 4.2, you should upgrade the base system before applying patches. In any case, you should establish a process for regular updates of the server. The best times to update are in May and November, just after the -stable releases. In my experience, updating twice a year is easier and less risky than just once: You get used to it. Regularly ordering the CDs and just upgrading from CD is the most convenient way to go. If your task is to maintain that server, carefully read http://www.openbsd.org/cgi-bin/cvsweb/src/etc/root/root.mail?rev=HEAD Have a quick look at the resources referenced there, just to get an impression what is available. The man pages, the FAQ and afterboot(8) are particularly useful. In order to do this it appears that I have to download the source code re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. Don't compile the whole system from source unless you are actively hacking on the base system (which clearly you aren't) or unless you want to track -current using a single build for multiple servers. As others told you, each errata patch contains instructions what exactly must be rebuilt, and how. you dont even have to reboot the server, That's indeed true in the present case, yes. After patching named, you must restart named, but rebooting would be useless. Of course, kernel patches require rebooting - which applies to Windows machines as well, by the way. ;-) Nick wrote: OpenBSD is mostly designed as a monolithic kernel. Please stop spreading misleading advice. This has nothing to do with the kernel. (Hopefully, skogzort didn't start building kernels yet.) Yours, Ingo -- Ingo Schwarze [EMAIL PROTECTED] usta.de / studis.de system operation *** Can we get a bind9 kernel module for OpenBSD any time soon? ***
Re: Is it necessary to recompile just to apply a security patch?
On Wed, Jul 30, 2008 at 7:25 AM, Ingo Schwarze [EMAIL PROTECTED] wrote: [snippage] Quite probably, your server might be terribly out of date. OpenBSD servers ought to be updated at least once a year. Please look at the first line of the output of dmesg(8). If the server has been up for a while, the circular buffer may have been over-written. Try: head -1 /var/run/dmesg.boot If the version number is lower than OpenBSD 4.2, you should upgrade the base system before applying patches.
Re: Is it necessary to recompile just to apply a security patch?
On Wednesday 30 July 2008, Andrew Dalgleish wrote: On Wed, Jul 30, 2008 at 7:25 AM, Ingo Schwarze [EMAIL PROTECTED] wrote: [snippage] Quite probably, your server might be terribly out of date. OpenBSD servers ought to be updated at least once a year. Please look at the first line of the output of dmesg(8). If the server has been up for a while, the circular buffer may have been over-written. Try: head -1 /var/run/dmesg.boot Or: [EMAIL PROTECTED] ~ 64]$ uname -a OpenBSD wombat.sing.id.au 4.4 GENERIC#73 sgi Or: [EMAIL PROTECTED] ~ 63]$ config -e /bsd OpenBSD 4.4-beta (GENERIC) #73: Tue Jul 29 00:16:10 EST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/sgi/compile/GENERIC warning: no output file specified Enter 'help' for information ukc quit If the version number is lower than OpenBSD 4.2, you should upgrade the base system before applying patches. -- = Joel Sing | [EMAIL PROTECTED] | 0419 577 603 = Real stupidity beats artificial intelligence every time. - Terry Pratchett, Hogfather
Re: Is it necessary to recompile just to apply a security patch?
On Tue, Jul 29, 2008 at 5:25 PM, Ingo Schwarze [EMAIL PROTECTED] wrote: Nick wrote: OpenBSD is mostly designed as a monolithic kernel. Please stop spreading misleading advice. This has nothing to do with the kernel. (Hopefully, skogzort didn't start building kernels yet.) Sorry. I didn't read what his specific task was, I just read oh noes recompile :(?. I jumped on trying to ease him into OpenBSD instead of scaring him off. -Nick
Re: Is it necessary to recompile just to apply a security patch?
how about this: uname -a or this: head -1 /etc/motd -- John Brooks [EMAIL PROTECTED] ... Please look at the first line of the output of dmesg(8). If the server has been up for a while, the circular buffer may have been over-written. Try: head -1 /var/run/dmesg.boot
