Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On Sun, Feb 19, 2012 at 06:00:50PM +, Matthew Seaman wrote: > On 19/02/2012 17:49, Nikola Pavlović wrote: > > If it will feel you more confident that everything is OK, I too have -p3 > > reported from the kernel, but -p6 in newvers.sh. I remember a > > discussion shortly after FreeBSD-SA-11:05-unix (maybe on > > freebsd-security@ but I'm not sure) about this confusion with patch > > level reported and if I remember correctly the conclusion was in > > agreement with what Matthew wrote above. > > Um... it's not really surprising that the two posts are in agreement. I > certainly read that other thread, and I may even have written that other > post you mention... > Sorry if I wasn't clear, I did not intend to question your answer (which, as usual, was thorough and most helpful) in any way, but only to point out, because Antonio expressed some doubt, that it isn't mere speculation and that the issue is known, and that he isn't the only one with "strange" -pX reported by uname (i.e. he can be confident that his system is up to date, as far as this is concerned). I don't remember who wrote what (and laziness prevents me from searching the archives), only that people who never use Linux emulation need not apply the follow up patch in which case -p3 is correct. -- About the only thing we have left that actually discriminates in favor of the plain people is the stork. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On 19/02/2012 17:49, Nikola Pavlović wrote: > If it will feel you more confident that everything is OK, I too have -p3 > reported from the kernel, but -p6 in newvers.sh. I remember a > discussion shortly after FreeBSD-SA-11:05-unix (maybe on > freebsd-security@ but I'm not sure) about this confusion with patch > level reported and if I remember correctly the conclusion was in > agreement with what Matthew wrote above. Um... it's not really surprising that the two posts are in agreement. I certainly read that other thread, and I may even have written that other post you mention... Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On Sun, Feb 19, 2012 at 05:17:59AM -0600, Antonio Olivares wrote: > On Sun, Feb 19, 2012 at 4:22 AM, Matthew Seaman > wrote: > > Here is the thing I alluded to under option (1). The security patch for > > the unix domain socket problem came out in two chunks. There was an > > original patch to fix the actual security problem, then a later followup > > patch to fix a bug that exposed in the linux emulation layer. It is > > possible to tell this from the text of the advisory as it exists at the > > moment, but you might not see it unless you are looking for it. The > > important bit of text is this: > > > > NOTE: The patch distributed at the time of the original advisory fixed > > the security vulnerability but exposed the pre-existing bug in the > > linux emulation subsystem. Systems to which the original patch was > > applied should be patched with the following corrective patch, which > > contains only the additional changes required to fix the newly- > > exposed linux emulation bug: > > > > Given that the second part of the patch was actually not a security fix, > > there would not have been a modified kernel distributed. So you got a > > bundle of three advisories issued together on 2011-09-28 resulting in > > FreeBSD 8.2-RELEASE-p3. Then later on, at 2011-10-04 a further update > > was issued modifying FreeBSD-SA-11:05-unix and technically taking the > > system to FreeBSD 8.2-RELEASE-p4. However, as this was not a security > > fix, it was not applied to the freebsd-update distribution channel. As > > none of the updates since then have touched the kernel, it will still > > show -p3 even though you are in fact fully patched against all known > > security problems. > > I hope this is the case, but that -p3 makes me think? I am hesistant If it will feel you more confident that everything is OK, I too have -p3 reported from the kernel, but -p6 in newvers.sh. I remember a discussion shortly after FreeBSD-SA-11:05-unix (maybe on freebsd-security@ but I'm not sure) about this confusion with patch level reported and if I remember correctly the conclusion was in agreement with what Matthew wrote above. > > Thank you very much for your kind explanation and hopefully I am in > the (4) category. How does one know when a new 8.2-RELEASE-pX, has > been released? where X is a number >= 6? > You could follow freebsd-announce@, and/or optionally freebsd-security@. All security advisories and errata patches are announced there. Alternatively, there are http://www.freebsd.org/security/advisories.html and http://www.freebsd.org/security/notices.html pages along with their RSS feeds http://www.freebsd.org/security/rss.xml and http://www.freebsd.org/security/errata.xml, respectively. -- "Have you lived here all your life?" "Oh, twice that long." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On 19/02/2012 11:17, Antonio Olivares wrote: > I hope this is the case, but that -p3 makes me think? I am hesistant > to move to 9.0-RELEASE as of yet. There will apparently be an > 8.3-RELEASE and I am not sure whether I have to rebuild all ports if I > update to newer release. I have read some places that one does not > have to rebuild all ports, and just install compat8.x/ special port. > In FreeBSD Handbook, it still recommends to rebuild all ports. It > took me a while to get going last time I moved from 8.1-RELEASE to > 8.2-RELEASE, so I am hesistant to do it :( And not being sure about > this, I am in the thinking process of what should I do. If you upgrade from 8.2 to 8.3 then you don't need to rebuild all your ports. There's a guarantee of ABI compatibility for all 8.x releases, meaning that with a very few exceptions, anything that runs on one 8.x version will run on any of them. The exceptions are programs that go grovelling into kernel memory -- lsof(8) is probably the only one most people will encounter. On the other hand, if you upgrade from 8.x to 9.0, then yes you will have to rebuild all your ports. If you install compat8x you can /run/ programs built for 8.x on 9.0, but you can't[*] upgrade or install a lot of programs that use shlibs from ports. Ultimately it is less hassle just to rebuild everything and be done with it. Cheers, Matthew [*] Well, unless you are a Unix guru and wize in the ways of the dynamic loader. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On Sun, 19 Feb 2012 14:11:09 +0100 Leslie Jensen wrote: > > > I don't know if it's the solution to your question but I asked the > same a while back and the answer I got was that I had to recompile > and install the kernel then you'll have p6 :-) The only thing you gain by that is that uname reports p6, it's purely cosmetic. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
RW skrev 2012-02-19 13:59: On Sun, 19 Feb 2012 10:22:57 + Matthew Seaman wrote: Four possibilities, roughly in order of severity: 1) None of the security patches between p3 and p6 did actually touch the kernel. You can tell if this was the case by looking at the list of modified files in the security advisory. The kernel is affected if any files under sys have been modified other than src/sys/conf/newvers.sh The last advisory that did touch the kernel was http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc which should have given you 8.2-RELEASE-p4. However -- see below. But aren't all those changes the linux kernel module, rather than the kernel itself. I think 8.2-RELEASE-p3 looks OK. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" I don't know if it's the solution to your question but I asked the same a while back and the answer I got was that I had to recompile and install the kernel then you'll have p6 :-) /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On Sun, 19 Feb 2012 10:22:57 + Matthew Seaman wrote: > Four possibilities, roughly in order of severity: > >1) None of the security patches between p3 and p6 did actually > touch the kernel. You can tell if this was the case by looking > at the list of modified files in the security advisory. The > kernel is affected if any files under sys have been > modified other than src/sys/conf/newvers.sh > > The last advisory that did touch the kernel was > http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc > > which should have given you 8.2-RELEASE-p4. However -- see > below. But aren't all those changes the linux kernel module, rather than the kernel itself. I think 8.2-RELEASE-p3 looks OK. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
Hi, On Sunday 19 February 2012 18:17:59 Antonio Olivares wrote: > > I hope this is the case, but that -p3 makes me think? I am hesistant > to move to 9.0-RELEASE as of yet. There will apparently be an > 8.3-RELEASE and I am not sure whether I have to rebuild all ports if I you could adapt my strategy. Stay with 8 until 10 appears at the scene. You will have support for 8.x until 10.0 will be available. There is no need for you to switch to 9.x at all. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On Sun, Feb 19, 2012 at 4:22 AM, Matthew Seaman wrote: > On 19/02/2012 02:06, Antonio Olivares wrote: >> On Sat, Feb 18, 2012 at 8:04 PM, Robert Bonomi >> wrote: >>> >>> Antonio, >>> The 'upgrade' from _P5_ to P6 did not touch the kernel, hence the kernel ID >>> did not change. >>> >>> Going from P3 you should have seen a kernel update. >>> >>> what do you see if you do "strings /boot/kernel/kernel |grep 8" >> >> It is a big file so I'll paste it to pastebin temporarily: >> >> http://pastebin.com/K1PsTa0P > > Heh. The interesting bit is on line 4301 -- the last line of that > output. A slightly more selective grep term would have been a good idea. > > Anyhow, that shows the kernel on your system is 8.2-RELEASE-p3. Which > implies that something ain't right somewhere. > > Four possibilities, roughly in order of severity: > > 1) None of the security patches between p3 and p6 did actually > touch the kernel. You can tell if this was the case by looking > at the list of modified files in the security advisory. The > kernel is affected if any files under sys have been > modified other than src/sys/conf/newvers.sh > > The last advisory that did touch the kernel was > http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc > > which should have given you 8.2-RELEASE-p4. However -- see > below. > > 2) An oversight in the freebsd-update process upstream meaning that > the operational patches were applied, but not the changes to the > kernel version number when the replacement kernel was compiled. > Unlikely, as newvers.sh is always updated on each of the security > branches even if the update doesn't touch the kernel. > > 3) You've told freebsd-update not to touch your kernel. Unlikely, > and not in the default config, but useful where people need to > use a custom kernel and maintain the rest of the system with > freebsd-update. > > In this case, you'ld have modified /etc/freebsd-update.conf to > change: > > Components src world kernel > > to read: > > Components src world > > Also you should be expecting to have to rebuild your kernel from > sources, so I doubt this is the case. /etc/freebsd-update.conf has: =line 1 col 0 lines from top 1 # $FreeBSD: src/etc/freebsd-update.conf,v 1.6.2.2.6.1 2010/12/21 17:09:25 kensmi # Trusted keyprint. Changing this is a Bad Idea unless you've received # a PGP-signed email from telling you to # change it and explaining why. KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5 # Server or server pool from which to fetch updates. You can change # this to point at a specific server if you want, but in most cases # using a "nearby" server won't provide a measurable improvement in # performance. ServerName update.FreeBSD.org # Components of the base system which should be kept updated. Components src world kernel . removed to save space > > 4) The kernel wasn't patched properly and hasn't been updated and > you're still vulnerable. > > Now, I believe that in fact the situation is in fact as described in > option (1) -- none of the patches since p3 have touched the kernel > distributed through freebsd-update. (2) and (4) can be discounted -- if > such egregious mistakes had been made, they would long ago have been > noticed and corrected. > > Here is the thing I alluded to under option (1). The security patch for > the unix domain socket problem came out in two chunks. There was an > original patch to fix the actual security problem, then a later followup > patch to fix a bug that exposed in the linux emulation layer. It is > possible to tell this from the text of the advisory as it exists at the > moment, but you might not see it unless you are looking for it. The > important bit of text is this: > > NOTE: The patch distributed at the time of the original advisory fixed > the security vulnerability but exposed the pre-existing bug in the > linux emulation subsystem. Systems to which the original patch was > applied should be patched with the following corrective patch, which > contains only the additional changes required to fix the newly- > exposed linux emulation bug: > > Given that the second part of the patch was actually not a security fix, > there would not have been a modified kernel distributed. So you got a > bundle of three advisories issued together on 2011-09-28 resulting in > FreeBSD 8.2-RELEASE-p3. Then later on, at 2011-10-04 a further update > was issued modifying FreeBSD-SA-11:05-unix and technically taking the > system to FreeBSD 8.2-RELEASE-p4. However, as this was not a security > fix, it was not applied to the freebsd-update distribution channel. As > none of the updates since then have touched the kernel, it will still > show -p3 even though you are in fact fully patched against all known > security problems.
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On 19/02/2012 02:06, Antonio Olivares wrote: > On Sat, Feb 18, 2012 at 8:04 PM, Robert Bonomi > wrote: >> >> Antonio, >> The 'upgrade' from _P5_ to P6 did not touch the kernel, hence the kernel ID >> did not change. >> >> Going from P3 you should have seen a kernel update. >> >> what do you see if you do "strings /boot/kernel/kernel |grep 8" > > It is a big file so I'll paste it to pastebin temporarily: > > http://pastebin.com/K1PsTa0P Heh. The interesting bit is on line 4301 -- the last line of that output. A slightly more selective grep term would have been a good idea. Anyhow, that shows the kernel on your system is 8.2-RELEASE-p3. Which implies that something ain't right somewhere. Four possibilities, roughly in order of severity: 1) None of the security patches between p3 and p6 did actually touch the kernel. You can tell if this was the case by looking at the list of modified files in the security advisory. The kernel is affected if any files under sys have been modified other than src/sys/conf/newvers.sh The last advisory that did touch the kernel was http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc which should have given you 8.2-RELEASE-p4. However -- see below. 2) An oversight in the freebsd-update process upstream meaning that the operational patches were applied, but not the changes to the kernel version number when the replacement kernel was compiled. Unlikely, as newvers.sh is always updated on each of the security branches even if the update doesn't touch the kernel. 3) You've told freebsd-update not to touch your kernel. Unlikely, and not in the default config, but useful where people need to use a custom kernel and maintain the rest of the system with freebsd-update. In this case, you'ld have modified /etc/freebsd-update.conf to change: Components src world kernel to read: Components src world Also you should be expecting to have to rebuild your kernel from sources, so I doubt this is the case. 4) The kernel wasn't patched properly and hasn't been updated and you're still vulnerable. Now, I believe that in fact the situation is in fact as described in option (1) -- none of the patches since p3 have touched the kernel distributed through freebsd-update. (2) and (4) can be discounted -- if such egregious mistakes had been made, they would long ago have been noticed and corrected. Here is the thing I alluded to under option (1). The security patch for the unix domain socket problem came out in two chunks. There was an original patch to fix the actual security problem, then a later followup patch to fix a bug that exposed in the linux emulation layer. It is possible to tell this from the text of the advisory as it exists at the moment, but you might not see it unless you are looking for it. The important bit of text is this: NOTE: The patch distributed at the time of the original advisory fixed the security vulnerability but exposed the pre-existing bug in the linux emulation subsystem. Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the additional changes required to fix the newly- exposed linux emulation bug: Given that the second part of the patch was actually not a security fix, there would not have been a modified kernel distributed. So you got a bundle of three advisories issued together on 2011-09-28 resulting in FreeBSD 8.2-RELEASE-p3. Then later on, at 2011-10-04 a further update was issued modifying FreeBSD-SA-11:05-unix and technically taking the system to FreeBSD 8.2-RELEASE-p4. However, as this was not a security fix, it was not applied to the freebsd-update distribution channel. As none of the updates since then have touched the kernel, it will still show -p3 even though you are in fact fully patched against all known security problems. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: No updates needed to update system to 8.2-RELEASE-p6 but still on 8.2-RELEASE-p3
On Sat, Feb 18, 2012 at 8:04 PM, Robert Bonomi wrote: > > Antonio, > The 'upgrade' from _P5_ to P6 did not touch the kernel, hence the kernel ID > did not change. > > Going from P3 you should have seen a kernel update. > > what do you see if you do "strings /boot/kernel/kernel |grep 8" It is a big file so I'll paste it to pastebin temporarily: http://pastebin.com/K1PsTa0P Thanks, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"