Updating bzip2 to remove potential security vulnerability
Jason
jhelfman at e-e.com
Fri Oct 1 21:04:43 UTC 2010
On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
>On Fri, 1 Oct 2010 12:14:20 -0500
>Dan Nelson <dnelson at allantgroup.com> articulated:
>
>> You must have missed
>> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
>> patches for 6, 7, and 8 are available there, and freebsd-update has
>> fixed binaries if you use that.
>
>Never saw it. So I am assuming that simply using something like:
>
>csup -L2 -h cvsup.FreeBSD.org "/usr/src/share/examples/cvsup/standard-supfile"
>
>Then rebuild Kernel & World is not going to work. Is that correct?
The update instructions are in the announcement. Here is a snippet from
it:
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch
# fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbz2
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>
3) To update your vulnerable system via a binary patch:
Systems running 6.4-RELEASE, 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or
8.1-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
More information about the freebsd-questions
mailing list