In the last episode (Mar 25), Jonathan Horne said:
> Ok, I just cvsup'd and it did not pull down the sources for sendmail
> 8.13.6 ( I might still have misunderstanding of what exactly cvsup
> does).  Anyway, I took matters into my own hands, and I was wondering
> if my procedure would be considered acceptable by my peers.  So, this
> is what I did:

cvsup updates the FreeBSD source tree to whatever the developers have
committed.  A patch for the issue (not an update to 8.13.6) was applied
to most branches.

> When the system came back up, the sendmail banner tells me its
> running 8.13.6/8.13.4.  would this mean im upgraded to the latest and
> am now without a shadow of a doubt secure against this latest
> sendmail threat?  Would that have been an acceptable way to upgrade a
> production server (and should I do it again, this time on my
> production sendmail server)?

Yes, you are now running sendmail 8.13.6.  No, this is probably not the
best way to patch a production server :)  For a small version bump like
the sendmail one, you didn't break anything, but in general, replacing
part of the base system wholesale could cause problems due to
dependencies of other parts of the sytem on a particular version, or
different compile-time settings between FreeBSD and the source
distribution.  Just running cvsup, verifying that you now have the
version numbers listed in the security advisory, and rebuilding what
the advisory tells you to, would have sufficed.

        Dan Nelson
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to