About Patches

Jim Xochellis dxoch at escape.gr
Mon Jun 23 03:24:22 PDT 2003

Many thanks Matthew, you have been very helpful.

Jim Xochellis

On Monday, June 23, 2003, at 12:44 PM, Matthew Seaman wrote:

> On Mon, Jun 23, 2003 at 11:54:54AM +0300, Jim Xochellis wrote:
>> Hi List,
>> I need to apply some security patches to my FreeBSD(i386) 4.7-RELEASE
>> box and I am concerned about the possibility that I could actually  
>> harm
>> my system while trying to apply this patches. (I am not a Unix guru
>> actually)
> Fear not: security patches are very well tested and should do what
> they claim without unpleasant side effects.  Even if there were
> problems with a patch in the early stages, it would soon be detected
> and corrected -- as there hasn't been a security patch since
> FreeBSD-SA-03:07.sendmail at the end of March, I don't think you have
> to worry on that score.
>> 1) Do I have to apply the security patches in a specific order?
> Preferably in the order that they were issued, although you can
> probably get away with a different order for patches that apply to
> distinct parts of the sources.
>> 2) Is there a chance were a patch requires a previous one? (In my case
>> some patches are not applicable)
> Source patches will generally be made against the previous patch level
> of which ever release branch is involved.  So, yes, you will have to
> apply pre-requisite patches in some circumstances.  Any necessary
> prerequisites will be documented in the advisory: Eg. see
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA- 
> 03%3A06.openssl.asc
> which states:
>     2) To patch your present system:
>     The following patches have been verified to apply to FreeBSD 4.6,  
> 4.7,
>     and 5.0 systems which have already been patched for the issues  
> resolved
>     in FreeBSD-SA-03:02.openssl.
>> 3) What if the code is not in the state that the patch requires? (For
>> instance if I have updated that port)
> FreeBSD security advisories generally only apply to the base system,
> and patches will only be issued for the system sources.  Security
> problems to do with ported software are usually announced via security
> notices.  In general, you should use cvsup(1) to update your ports
> tree and a tool like portupgrade(1) to update any ports software.
> Note that ports don't follow the same -CURRENT, -STABLE, -RELEASE
> structure as the system sources.  At most, all that happens is the
> ports tree will be tagged in CVS as a record of it's state when a
> particular release was made.  When updating, you should simply aim to
> install the latest available versions of ported software.
> In fact, as a general mechanism to keep your system sources up to
> date, I'd recommend that you use cvsup(1) to track the RELENG_4_7
> branch.  This will effectively act as an automated mechanism to apply
> the same security patches as released separately, but with less chance
> of operator error.  See
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html
> for instructions -- you should base any supfile you use on
> /usr/share/examples/cvsup/standard-supfile, which apart from not
> specifying which cvsup server to use is pretty much all you need to
> keep your 4.7-RELEASE sources up to date.  (The ports-supfile in the
> same directory will do the equivalent for the ports sources.)
>> 4) Are the patches clever enough to protect me from harming my system?
> No.  You need to take care and think about what you're doing while
> updating the system.  Having said that, the patches aren't unduely
> difficult to use, and if you follow the instructions you'll be just
> fine.
>> 5) Is there a safe way to undo a patch?
> Make sure you have good backups, which you have tested to ensure you
> can recover the system.
> 	Cheers,
> 	Matthew
> -- 
> Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
>                                                       Savill Way
> PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
> Tel: +44 1628 476614                                  Bucks., SL7 1TH  
> UK
> <mime-attachment>

More information about the freebsd-questions mailing list