Updating bzip2 to remove potential security vulnerability

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Oct 2 08:09:14 UTC 2010 

On 01/10/2010 21:59:40, Jerry wrote:
> On Fri, 1 Oct 2010 12:14:20 -0500
> Dan Nelson <dnelson at allantgroup.com> articulated:
> 
>> You must have missed 
>> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
>> patches for 6, 7, and 8 are available there, and freebsd-update has
>> fixed binaries if you use that.
> 
> Never saw it. So I am assuming that simply using something like:
> 
> csup -L2 -h cvsup.FreeBSD.org "/usr/src/share/examples/cvsup/standard-supfile"
> 
> Then rebuild Kernel & World is not going to work. Is that correct?

Not correct.  csup(1) /after/ the date that fixes are published will
obtain sources that contain the fixes on all affected and supported
branches, including 8-STABLE and 9-CURRENT which aren't covered by
freebsd-update(8).  This will be documented in the security advisory,
where they list the revision numbers (both SVN and CVS) at which the
fixes were applied.

You don't need to /both/ apply patches and use csup -- csup already
contains the result of applying the patches.  Patches are an alternative
to csup, but the intended audience there is typically people running
either heavily customized variants of the OS or installations with
severely limited bandwidth or restricted internet connectivity.  The
majority of users should be using the standard update mechanisms -- csup
or freebsd-update.

Obviously, you will have to compile[*] and install the fixed software.
Going through a full buildworld cycle will certainly do that, but in
most cases you can achieve the required result by rebuilding and
reinstalling significantly smaller chunks of the system.  Again,
procedures to do this should be described in the security advisory,
together with any other requirements (eg. that you would have to reboot
your system where there are significant changes to the kernel, or even
to ubiquitous bits like libc.so.)

	Cheers,

	Matthew

[*] Unless you're using freebsd-update, of course.

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20101002/45e957d8/signature.pgp

More information about the freebsd-questions mailing list