keeping my freebsd secure...

Chuck Swiger cswiger at mac.com
Sat Jun 12 16:14:11 GMT 2004


Haim Ashkenazi wrote:
> 1. I need to follow the security advisories to see if there are
> vulnerabilities in the base system (I didn't find any regarding 4.10, am I
> right?)

It's certainly a good idea, yes.  There's a list just for security 
announcements, although anyone who follows CERT or bugtrak or other security 
lists are likely to see issues appear from various places.

Decide whether to follow RELENG_4 or RELENG_4_10.

> 2. I installed portaudit to tell me if there are vulnerabilities in the
> ports.

portaudit is still work-in-progress, but this is also a good idea.

> 3. there are some tools (don't remember their names) that automatically
> downloads and installs upgrades.

portupgrade.

[ ... ]
> how do I update my ports without breaking anything and without downtime
> for important services (apache, mysql, etc...)? the one port I installed
> from pre-compiled binary (screen) took 99% cpu, and I had to compile it
> so it'll work ok. so how do I upgrade any of the above daemons without
> having to uninstall -> compile -> reinstall (which takes a long time).

portupgrade does "compile -> uninstall -> reinstall", which interrupts the 
affected software only for a few seconds.  Note that it might still be a good 
idea to shutdown and restart the service yourself directly.

> also, if the PNG library having vulnerabilities (as it is now on my
> system) and I update the ports and compile it, do I have to update all the
> ports or only this one (will php break if I won't upgrade it)?

That depends on whether the newer version of PNG retains shlib 
backwards-compatibility with the older version.  Good software tends to be 
fine, other software where the authors are less concerned about retaining 
compatibility with previous versions may require one to recompile dependent 
ports as well.

-- 
-Chuck


More information about the freebsd-stable mailing list