Is it not possible/not intended for kernels to be updated via
freebsd-update? If kernels can be updated via freebsd-update
will there be a release of an fix/update that will allow systems
to be patched/updated to -p4 or later?
-Tom Carpenter
On 11/14/2011 05:25 AM, Evalyn wrote:
It touches the kernel but you need to do make builkernel/make installkernel
before uname -a shows "8.2-RELEASE-p4".
Regards,
Evalyn
-----Original Message-----
From: owner-freebsd-questi...@freebsd.org
[mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Matthew Seaman
Sent: 12 November 2011 02:03
To: Robert Simmons
Cc: freebsd-questions@freebsd.org
Subject: Re: 8.2-RELEASE-p4
On 11/11/2011 21:03, Robert Simmons wrote:
Note that if a security update is just to some userland programs,
freebsd-update won't touch the OS kernel, so the reported version
number doesn't change even though the update has been applied. In
these sort of cases, it's not necessary to reboot, just to restart
any long running processes (if any) affected by the update. The
security advisory should have more detailed instructions about
exactly what to do. (The -p2 to
-p3 update was like this, but the -p3 to -p4 update definitely did
affect the kernel so a reboot was necessary.)
I'm not confident that you are correct here. See above. Either p3-p4
did not touch the kernel, or the OP has a legitimate question.
Interesting. I based what I said on the text of the security advisories:
http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc
http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc
Specifically the 'Corrected:' section near the top. I think it's clear that
FreeBSD-SA-11:04.compress (Corrected in 8.2-RELEASE-p3) doesn't involve
anything in the kernel but FreeBSD-SA-11:05.unix (Corrected in
8.2-RELEASE-p4) is entirely within the kernel code. Except those advisories
aren't telling the whole story.
Lets look at r226023 in SVN. That's the revision quoted in the 11.05
advisory. The log for newvers.sh in
http://svnweb.freebsd.org/base/releng/8.2/sys/conf/newvers.sh?view=log&pathr
ev=226023
says that the patches in RELEASE-p4 were not actually the security fix
-- rather they fixed a problem revealed by the actual security fix, which
was applied simultaneously with the patches in FreeBSD-SA-11:04.compress.
11.05 was committed in two blobs spanning
-p3 and -p4.
So, the good news is that if you have at least 8.2-RELEASE-p3 then you don't
have any (known) security holes. However if you don't have the patches in
8.2-RELEASE-p4 then linux apps run under emulation will crash if they use
unix domain sockets. The flash plugin for FireFox being the most prominent
example as I recall.
Now the updates for -p4 certainly should have touched the kernel, and
certainly should have resulted in an updated uname string[*]. There should
also be a note about -p4 in /usr/src/UPDATING. Starting to wonder if the
-p4 patches are actually available via freebsd-update(8)
-- could they have been omitted because it wasn't actually a security fix?
Odd that no one would have commented in a whole month if so.
Cheers,
Matthew
[*] strings /boot/kernel/kernel | grep '8\.2-' should give the same
results as uname(1): if it's different then the running kernel is not the
same as the one on disk...
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
