About Patches

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Jun 23 02:46:22 PDT 2003


On Mon, Jun 23, 2003 at 11:54:54AM +0300, Jim Xochellis wrote:
> Hi List,
> 
> I need to apply some security patches to my FreeBSD(i386) 4.7-RELEASE 
> box and I am concerned about the possibility that I could actually harm 
> my system while trying to apply this patches. (I am not a Unix guru 
> actually)

Fear not: security patches are very well tested and should do what
they claim without unpleasant side effects.  Even if there were
problems with a patch in the early stages, it would soon be detected
and corrected -- as there hasn't been a security patch since
FreeBSD-SA-03:07.sendmail at the end of March, I don't think you have
to worry on that score.
 
> 1) Do I have to apply the security patches in a specific order?

Preferably in the order that they were issued, although you can
probably get away with a different order for patches that apply to
distinct parts of the sources.

> 2) Is there a chance were a patch requires a previous one? (In my case 
> some patches are not applicable)

Source patches will generally be made against the previous patch level
of which ever release branch is involved.  So, yes, you will have to
apply pre-requisite patches in some circumstances.  Any necessary
prerequisites will be documented in the advisory: Eg. see

    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03%3A06.openssl.asc

which states:

    2) To patch your present system:

    The following patches have been verified to apply to FreeBSD 4.6, 4.7,
    and 5.0 systems which have already been patched for the issues resolved
    in FreeBSD-SA-03:02.openssl.

> 3) What if the code is not in the state that the patch requires? (For 
> instance if I have updated that port)

FreeBSD security advisories generally only apply to the base system,
and patches will only be issued for the system sources.  Security
problems to do with ported software are usually announced via security
notices.  In general, you should use cvsup(1) to update your ports
tree and a tool like portupgrade(1) to update any ports software.

Note that ports don't follow the same -CURRENT, -STABLE, -RELEASE
structure as the system sources.  At most, all that happens is the
ports tree will be tagged in CVS as a record of it's state when a
particular release was made.  When updating, you should simply aim to
install the latest available versions of ported software.

In fact, as a general mechanism to keep your system sources up to
date, I'd recommend that you use cvsup(1) to track the RELENG_4_7
branch.  This will effectively act as an automated mechanism to apply
the same security patches as released separately, but with less chance
of operator error.  See
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
for instructions -- you should base any supfile you use on
/usr/share/examples/cvsup/standard-supfile, which apart from not
specifying which cvsup server to use is pretty much all you need to
keep your 4.7-RELEASE sources up to date.  (The ports-supfile in the
same directory will do the equivalent for the ports sources.)

> 4) Are the patches clever enough to protect me from harming my system?

No.  You need to take care and think about what you're doing while
updating the system.  Having said that, the patches aren't unduely
difficult to use, and if you follow the instructions you'll be just
fine.

> 5) Is there a safe way to undo a patch?

Make sure you have good backups, which you have tested to ensure you
can recover the system.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030623/310d4198/attachment.bin


More information about the freebsd-questions mailing list