a few questions and concepts

Giorgos Keramidas keramida at ceid.upatras.gr
Fri Apr 7 21:34:08 UTC 2006 

On 2006-04-07 15:54, Jonathan Horne <freebsd at dfwlp.com> wrote:
> im still pretty new to freebsd.  ive been playing around with the cvsup
> tools, and they are quite fascinating.
>
> i changed my production server from Fedora to FreeBSD 6.0, about 1 day
> before the most recent sendmail exploit was published (well, published on
> freebsd.org anyway).

Murphy at work, again, eh? :)

> i did download the patch and recompile it, but as some have also noted
> on this list, that it still banners as 8.13.4 when you telnet to it.
>
> so, the past couple of days, i have learned to cvsup my /usr/src
> directories.  ive just been using the standard copy of the stable-supfile.
> i have learned that if i perform the sendmail recompile after the cvsup,
> that it sendmail seems to proclaim 8.13.6 in the banner.  on top of that,
> i have learned that if i recompile the kernel after cvsup, that it no
> longer says FreeBSD 6.0-RELEASE, but FreeBSD 6.1-PRERELEASE.

You are running RELENG_6 now, which is much more recent than
RELENG_6_0_RELEASE.

The first one is the top of the 6.X branch, which changes moderately
slow, but it *does* change.  The 6.0-RELEASE source tree is "frozen in
time" at the point the tag was placed on the source tree.

> my questions:
> 1) after cvsup, i think i can assume that sendmail is now compiling from
> sourcecode that should definatly be free from the current exploit.  i
> would also assume that anything that i would need to recompile from
> /usr/src should also see the benefit of 'latest source code'?

Yes, both true.

> 2) on a production server, should i avoid recompiling a kernel that will
> be FreeBSD 6.1-PRERELEASE?  on the whole, how reliable is the bulk of
> these newer sources that were pulled down by cvsup?

In general, if you a bit paranoid, you should avoid running RELENG_6 on
a production system.  At least until you have thoroughly tested it on a
"test system" and found everything working as expected.

> i can definatly see the benefits of using cvsup to take care of
> problem with some things (like sendmail), but allowing it to update
> everything under the /usr/src tree, im wondering if i could be setting
> myself up for issues (by not editing the stable-supfile and taking
> only what i need).

This is why each FreeBSD release is associated with at least:

    * A "frozen" tag, like RELENG_6_0_RELEASE

    * A security branch, like RELENG_6_0

    * A stable branch, like RELENG_6

Changes go very fast in the CURRENT FreeBSD branch.  After they settle
in for a while, soem of them are backported to the RELENG_X branch.  The
RELENG_X branch changes much slower than the experimental, CURRENT
branch, but it does change every time a new feature is backported to
RELENG_X.

Then, when security fixes are made available, they are added both to the
RELENG_X branch and the RELENG_X_Y security branches.

If all you want is the "frozen" release sources plus changes that are
really really necessary, because they fix a serious security bug, you
probably want RELENG_X_Y (RELENG_6_0 in this case).

Regards,
Giorgos

More information about the freebsd-questions mailing list