Re: Contradictory statement on vulnerability
On Fri, Mar 16, 2007 at 09:42:47AM +0100, Karel Kulhavy wrote: http://www.coresecurity.com/index.php5?module=ContentModaction=itemid=1703 says: Vulnerable Packages OpenBSD 4.1 prior to Feb. 26th, 2006. OpenBSD 4.0 Current OpenBSD 4.0 Stable [...] OpenBSD-current, 4.1, 4.0 and 3.9 have the fix incorporated in their source code tree and kernel binaries for those versions and the upcoming version 4.1 include the fix. I have OpenBSD 4.0. Is my system vulnerable or not? 4.0-release is vulnerable, a recentish 4.0-stable isn't. Similarly, all 4.0-currents are vulnerable (and should be updated to the newer -current), as was the 4.1 branch of -current. Recent -current is not vulnerable, nor is 4.1. Joachim
Re: Contradictory statement on vulnerability
On Fri, Mar 16, 2007 at 09:54:47AM +0100, Vincent GROSS wrote: On 3/16/07, Karel Kulhavy [EMAIL PROTECTED] wrote: http://www.coresecurity.com/index.php5?module=ContentModaction=itemid=1703 says: Vulnerable Packages OpenBSD 4.1 prior to Feb. 26th, 2006. OpenBSD 4.0 Current OpenBSD 4.0 Stable [...] OpenBSD-current, 4.1, 4.0 and 3.9 have the fix incorporated in their source code tree and kernel binaries for those versions and the upcoming version 4.1 include the fix. I have OpenBSD 4.0. Is my system vulnerable or not? if you're following -current and you rebuilt it after February 28, you're fine (not sure for this one) if you're following -stable and you rebuilt it after March 7, you're fine. otherwise, you're toasted. I am not following anything - just installed OpenBSD 4.0 from a CD. What should I follow, then? In other operating system the concept of upgrading is straightforward - Windows ask you and you press OK, in Gentoo Linux you type a magic sequence of magic commands and your system is up to date. But in OpenBSD it seems that the versions are not a sequence, but a tree with a lot of one way streets and that's what confuses me. CL
Re: Contradictory statement on vulnerability
You need to read the FAQ : http://cvs.openbsd.org/faq/faq10.html#Patches http://cvs.openbsd.org/faq/upgrade40.html Read the ENTIRE FAQ, because it's there for a GOOD reason. Marius On 3/16/07, Karel Kulhavy [EMAIL PROTECTED] wrote: On Fri, Mar 16, 2007 at 09:54:47AM +0100, Vincent GROSS wrote: On 3/16/07, Karel Kulhavy [EMAIL PROTECTED] wrote: http://www.coresecurity.com/index.php5?module=ContentModaction=itemid=1703 says: Vulnerable Packages OpenBSD 4.1 prior to Feb. 26th, 2006. OpenBSD 4.0 Current OpenBSD 4.0 Stable [...] OpenBSD-current, 4.1, 4.0 and 3.9 have the fix incorporated in their source code tree and kernel binaries for those versions and the upcoming version 4.1 include the fix. I have OpenBSD 4.0. Is my system vulnerable or not? if you're following -current and you rebuilt it after February 28, you're fine (not sure for this one) if you're following -stable and you rebuilt it after March 7, you're fine. otherwise, you're toasted. I am not following anything - just installed OpenBSD 4.0 from a CD. What should I follow, then? In other operating system the concept of upgrading is straightforward - Windows ask you and you press OK, in Gentoo Linux you type a magic sequence of magic commands and your system is up to date. But in OpenBSD it seems that the versions are not a sequence, but a tree with a lot of one way streets and that's what confuses me. CL
Re: Contradictory statement on vulnerability
On Fri, Mar 16, 2007 at 12:09:28PM +0100, Karel Kulhavy wrote: | I am not following anything - just installed OpenBSD 4.0 from a CD. What should | I follow, then? | | In other operating system the concept of upgrading is straightforward - Windows | ask you and you press OK, in Gentoo Linux you type a magic sequence of magic | commands and your system is up to date. But in OpenBSD it seems that the | versions are not a sequence, but a tree with a lot of one way streets and | that's what confuses me. If this is how you feel, than (in this particular case) you can compare OpenBSD to Gentoo Linux. You type a magic sequence of magic commands and your system is up to date. The secret incantation is : sudo -s cd /usr export [EMAIL PROTECTED]:/cvs export VERS=OPENBSD_`uname -r | tr '.' '_'` cvs checkout -P -r${VERS} src cd src/sys/arch/`uname -m`/conf config GENERIC cd ../compile/GENERIC make clean make depend make make install reboot And there you have it. All you need is the compiler install set installed and sufficient space in /usr/src. If this magic sequence is too long for you, feel free to copy/paste them into a shell-script and execute that. Please note, that I've typed this without verifying every step. The process is not hard, pretty well documented, and you should be able to figure it out. And you may want to change little bits if you run on an SMP-capable machine. Good luck. Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Contradictory statement on vulnerability
Hi, On Friday, 16. March 2007 12:09, Karel Kulhavy wrote: I am not following anything - just installed OpenBSD 4.0 from a CD. What should I follow, then? That's your choice. If you just want a stable and reliable OpenBSD then install -release (that's what you did). If you want to keep it patched without tracking the development of OpenBSD, then follow -stable. Just apply the errata you can find on the OpenBSD website. A nice newbie site explaining this with examples is www.openbsd101.com, if you don't understand the OpenBSD FAQ. In other operating system the concept of upgrading is straightforward - Windows ask you and you press OK, in Gentoo Linux you type a magic sequence of magic commands and your system is up to date. But in OpenBSD it seems that the versions are not a sequence, but a tree with a lot of one way streets and that's what confuses me. OMG, you're comparing OpenBSD to Gentoo and you're still complaining?! You can't be serious. But let's put it this way: what you do in Gentoo is roughly the same you'd do when you follow -current. Or in other words: there's no way to just have a stable and reliable system that doesn't move, when you're using Gentoo. As a sidenote: I've been using Gentoo for almost two years and never have I wasted more time just to keep a computer running than with Gentoo... And I certainly won't get started about the Windows comparison... The concept of upgrading (an upgrade is something different actually than what you are obviously thinking about) is perfectly straightforward in OpenBSD - if you care to actually read the documentation that comes along with OpenBSD. I don't know any other operating system, that does documentation so well. good luck, Tobias W.
Re: Contradictory statement on vulnerability
In other operating system the concept of upgrading is straightforward - Windows ask you and you press OK, in Gentoo Linux you type a magic sequence of magic commands and your system is up to date. In OpenBSD, you type a logical sequence of logical commands and your system is up to date. No black magic required.
Re: Contradictory statement on vulnerability
On Fri, 16 Mar 2007, Tobias Weisserth wrote: A nice newbie site explaining this with examples is www.openbsd101.com, if you don't understand the OpenBSD FAQ. Thanks for posting that one. It hadn't turned up in any of my searches and if it was in any documents I already looked at, I must have missed it. Anyway, it's exactly the type of material I was hoping to be able to point others to. While we're on the topic of patches, I found them reasonably straight forward to install though I'm not by any stretch of the imagination a programmer. My take on the whole thing is that the patches are small enough that a person or even small team who has the skill and inclination, can audit the changes. On the shallow end of the pool, the content of 009_timezone.patch was something that even I could follow and understand and (by my interpretations) demonstrates the principle behind the patches. Anyway, I can see that a lot of coordination went into them and I am quite happy about that aspect, which IMHO should not go overlooked. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Contradictory statement on vulnerability
On Mar 16, 2007, at 4:09 AM, Karel Kulhavy wrote: snip I am not following anything That's obvious. - just installed OpenBSD 4.0 from a CD. What should I follow, then? In other operating system the concept of upgrading is straightforward - Windows ask you and you press OK, in Gentoo Linux you type a magic sequence of magic commands and your system is up to date. But in OpenBSD it seems that the versions are not a sequence, but a tree with a lot of one way streets and that's what confuses me. The more I read your posts to the list the more it becomes clear that OpenBSD may not be for you. You might consider going back to Windows or Linux or whatever makes you happy cause this clearly ain't working out for you. OpenBSD needs what I call a maker's attitude. You need to want to read, learn, wrap your head around concepts that can have steep learning curves if you're starting at zero but that have a huge payoff if you're willing to put in the skull sweat. You don't seem to want to do this and it annoys the fuck out of us who have put in that effort and have fallen in love with the elegance of the system. Either educate yourself or move on. CL They do not preach that their God will rouse them a little before the nuts work loose.
Re: Contradictory statement on vulnerability
* Karel Kulhavy [EMAIL PROTECTED] [2007-03-16 12:09:28]: In other operating system the concept of upgrading is straightforward - Windows ask you and you press OK, in Gentoo Linux you type a magic sequence of magic commands and your system is up to date. But in OpenBSD it seems that the versions are not a sequence, but a tree with a lot of one way streets and that's what confuses me. That's one of the beauties of OpenBSD. Unlike with portage, everyone is running the exact same code. Be that code 4.0-stable, 4.1-stable, etc etc. Your question is explained on the website. openbsd.org -- Travers Buda
Re: Contradictory statement on vulnerability
On Fri, Mar 16, 2007 at 01:33:36PM +0100, Vincent GROSS wrote: ok, I'll try to be clear : there is a -current branch (HEAD in CVS technobabble). nearly every six month, -current give birth to a release (CDs). a release shall move as little as possible. but sometimes, (like now) there is a problem which requires patching. because a release is frozen, there is a branch with such critical patches and it's called -stable. so, in term of patching, release + errata = stable and release stable current Thanks, this is a much better explanation than in FAQ sec. 5. The explanation in FAQ doesn't mention the fact that not only the -current, but also the -stable is a moving target, though a slowly moving one. Now I have 4.0-release and want to have a fixed kernel (4.0-stable). Which version of sources should I download then? 4.0-release or 4.0-stable? CL upgrading openbsd is merely a question of fetching the sources at your nearest anoncvs and compiling them. fetching is handled by cvs, compiling by make. The only way to automate further the process is to write a shell script and invoking it every day/week. Every single detail is explained in the section 5 of the FAQ. Note to OpenBSD developers : I know I'm oversimplifying, but i think the big picture is correct. -- Vincent GROSS
Re: Contradictory statement on vulnerability
Hi, On Friday, 16. March 2007 21:04, Karel Kulhavy wrote: ... Thanks, this is a much better explanation than in FAQ sec. 5. The explanation in FAQ doesn't mention the fact that not only the -current, but also the -stable is a moving target, though a slowly moving one. Now I have 4.0-release and want to have a fixed kernel (4.0-stable). Which version of sources should I download then? 4.0-release or 4.0-stable? You still haven't got it. This is what the FAQ states: -release: The version of OpenBSD shipped every six months on CD. -stable: Release, plus patches considered critical to security and reliability. -stable is not moving. It's just -release plus the errata from http://www.openbsd.org/errata40.html as stated in he FAQ. Get the sources from your CDs or from the FTP servers. Then apply the errata and you'll have -stable. It's as easy as that. If you're unable to grasp the concept you should buy a good book on OpenBSD and/or try a little harder to understand what you read in the FAQ. There's a book section on the OpenBSD website that names some good books on OpenBSD. Did you check www.openbsd101.com? Seemingly you didn't, otherwise you wouldn't have asked this latest question of yours. regards, Tobias W.
Re: Contradictory statement on vulnerability
On Fri, 16 Mar 2007 21:04:50 +0100, Karel Kulhavy wrote Thanks, this is a much better explanation than in FAQ sec. 5. The explanation in FAQ doesn't mention the fact that not only the -current, but also the -stable is a moving target, though a slowly moving one. Now I have 4.0-release and want to have a fixed kernel (4.0-stable). Which version of sources should I download then? 4.0-release or 4.0-stable? CL Here's how it works for you beginners out there. Experts correct me if I'm wrong. I would not post this, but I was a little confused too when I first started out. OpenBSD developers add code and fix bugs using a program called CVS. CVS has the ability to create branches like a tree. The main tree trunk is -current. After a certain amount of time, usually a couple of months before the release date, a branch is created called 4.1. This branch is frozen, meaning that no new features will go in but bugs will be fixed. When release date comes, every six months, they take the 4.1 branch on that day and mark it as the release. Then they make CD's from the release. Keep in mind that this release day is not the same as the day it's released to the public because the developers need time to create the cd's. From the 4.1 branch, fixes are added whether they are bugs or reliability fixes; this is referred to as 4.1-stable. There are many fixes in 4.1-stable so only the important and critical ones appear in the errata. -current is still the main tree trunk; this is the code where developers develop. 4.1-stable is where developers maintain. In the next 4 months it will be frozen again with a branch called 4.2 and the whole process starts over again. Anoncvs is read-only access to cvs which allows anybody: 1) to see what the developers are doing 2) to submit additions and fixes to the developers 3) patch your system whether it's -stable or -current 4) create a system with the latest code, -current cvs/anoncvs keeps track of pure source code. This is why OpenBSD doesn't do binaries, because the small group of developers would rather exert their energy on code than binaries. Concentrating on code instead of binaries makes development as a whole a lot less complex and thus more reliable and secure. If you're a developer, you want to code because you enjoy it. A developer doesn't want to waste his time compiling binaries for each architecture and and make sure they are reliable. That's very very time consuming.
Re: Contradictory statement on vulnerability
On 3/16/07, Karel Kulhavy [EMAIL PROTECTED] wrote: ... Thanks, this is a much better explanation than in FAQ sec. 5. The explanation in FAQ doesn't mention the fact that not only the -current, but also the -stable is a moving target, though a slowly moving one. Now I have 4.0-release and want to have a fixed kernel (4.0-stable). Which version of sources should I download then? 4.0-release or 4.0-stable? Are you tracking release + patches, or are you tracking -stable? That should tell you. If you're tracking -stable, you want to get the sources (which are essentially only built at release) and use CVS to update to -stable. As you know from reading stable.html, -stable contains the lastest security errata (and more) for your release. You'll want to read more - stable.html, anoncvs.html, large swaths of the FAQ, etc. DS
Re: Contradictory statement on vulnerability
Karel Kulhavy wrote on Fri, Mar 16, 2007 at 09:04:50PM +0100: On Fri, Mar 16, 2007 at 01:33:36PM +0100, Vincent GROSS wrote: ok, I'll try to be clear : [...] so, in term of patching, release + errata = stable and release stable current Thanks, this is a much better explanation than in FAQ sec. 5. Except that it is not true. release release+errata stable current would be nearer the mark. From http://www.openbsd.org/faq/faq5.html#Flavors: :: The -stable branch is -release plus patches found on the errata page, :: and some simple fixes that do not merit an errata entry. The explanation in FAQ doesn't mention the fact that not only the -current, but also the -stable is a moving target, though a slowly moving one. From http://www.openbsd.org/faq/faq5.html#Flavors: :: -Stable is based on -release, and is a branch from the main development :: path of OpenBSD. When very important fixes are made to -current, they :: are back ported (merged) into the -stable branches [...] As fixes are merged into -stable, it cannot possibly be a static target. Now I have 4.0-release and want to have a fixed kernel (4.0-stable). Which version of sources should I download then? 4.0-release or 4.0-stable? You never need to download -release. -Release is what you have on your CDs, anyway. You still seem quite confused. If all you intend to do is to patch one single system, i would say the easiest and safest way will be to use release+errata. Install the -release sources from CD, download the patches from the errata page, follow the instructions inside the patches closely (don't try any clever tricks while you are about it) are you are done. I think most beginners will find it easier to get errata patches applied correctly than to manage the whole make build process explained in release(8). Ok, it's a matter of taste, too. Besides, you might wish to take the time to re-read the FAQ occasionally. Some things do tend to get overlooked the first time, and some things will be understood better with a bit more hands-on experience.
Re: Contradictory statement on vulnerability
On 16-Mar-07, at 4:52 PM, Tobias Weisserth wrote: Hi, On Friday, 16. March 2007 21:04, Karel Kulhavy wrote: ... Thanks, this is a much better explanation than in FAQ sec. 5. The explanation in FAQ doesn't mention the fact that not only the - current, but also the -stable is a moving target, though a slowly moving one. Now I have 4.0-release and want to have a fixed kernel (4.0- stable). Which version of sources should I download then? 4.0-release or 4.0-stable? You still haven't got it. This is what the FAQ states: -release: The version of OpenBSD shipped every six months on CD. -stable: Release, plus patches considered critical to security and reliability. -stable is not moving. It's just -release plus the errata from http://www.openbsd.org/errata40.html as stated in he FAQ. Get the sources from your CDs or from the FTP servers. Then apply the errata and you'll have -stable. It's as easy as that. Um, no. If you apply the errata to -release you have -release + errata. There are things in stable that are not in the errata, albeit not much. Tracking -stable requires using cvs which, frankly is much easier than patching -release, unless you're worried about the time spent doing a cvs update and possible extra compilation time. Jeremy
Re: Contradictory statement on vulnerability
On Fri, Mar 16, 2007 at 01:31:33PM -0800, smith wrote: OpenBSD developers add code and fix bugs using a program called CVS. CVS has the ability to create branches like a tree. The main tree trunk is -current. After a certain amount of time, usually a couple of months before the release date, a branch is created called 4.1. This branch is frozen, meaning that no new features will go in but bugs will be fixed. When release date comes, every six months, they take the 4.1 branch on that day and mark it as the release. Then they make CD's from the release. Keep in mind that this release day is not the same as the day it's released to the public because the developers need time to create the cd's. From the 4.1 branch, fixes are added whether they are bugs or reliability fixes; this is referred to as 4.1-stable. Heh. You mostly got it. One big difference: the branch is not created before the release. Rather, development slows down, the release is built, cd are prep'ped, and the tagging/branch is made at that point. There are many fixes in 4.1-stable so only the important and critical ones appear in the errata. Actually, there are not that many fixes in 4.1-stable, most of it shows it as errata for source, and new packages for ports. -current is still the main tree trunk; this is the code where developers develop. Yep, most developers track -current, all the time. 4.1-stable is where developers maintain. Very important bug-fixes end up being backported to the branch, and usually to the previous release as well.
Re: Contradictory statement on vulnerability
On 3/16/07, Tobias Weisserth [EMAIL PROTECTED] wrote: Hi, On Friday, 16. March 2007 21:04, Karel Kulhavy wrote: ... Thanks, this is a much better explanation than in FAQ sec. 5. The explanation in FAQ doesn't mention the fact that not only the -current, but also the -stable is a moving target, though a slowly moving one. Now I have 4.0-release and want to have a fixed kernel (4.0-stable). Which version of sources should I download then? 4.0-release or 4.0-stable? You still haven't got it. This is what the FAQ states: -release: The version of OpenBSD shipped every six months on CD. -stable: Release, plus patches considered critical to security and reliability. -stable is not moving. It's just -release plus the errata from http://www.openbsd.org/errata40.html as stated in he FAQ. Get the sources from your CDs or from the FTP servers. Then apply the errata and you'll have -stable. It's as easy as that. To be *completely* accurate, there's a small difference between release+patches and -stable: (-stable) contains important patches and fixes (i.e. those from the errata plus others which are obvious and simple, but do not deserve an errata entry). http://www.openbsd.org/stable.html ...if we're purposefully trying to simplify, for Karel, I apologize. We can get the crayons back out. DS
Re: Contradictory statement on vulnerability
Hi, On Friday, 16. March 2007 23:41, Jeremy Huiskamp wrote: ... Um, no. If you apply the errata to -release you have -release + errata. There are things in stable that are not in the errata, albeit not much. Tracking -stable requires using cvs which, frankly is much easier than patching -release, unless you're worried about the time spent doing a cvs update and possible extra compilation time. You're right of course. I was assuming he was looking for the easiest way to get a -release version with patches applied. That's what I wanted to explain and obviously I got it confused with -stable. regards, Tobias W.