Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Nov 11 23:03:42 UTC 2011

On 11/11/2011 21:03, Robert Simmons wrote:
>> Note that if a security update is just to some userland programs,
>> > freebsd-update won't touch the OS kernel, so the reported version number
>> > doesn't change even though the update has been applied.  In these sort
>> > of cases, it's not necessary to reboot, just to restart any long running
>> > processes (if any) affected by the update.  The security advisory should
>> > have more detailed instructions about exactly what to do.  (The -p2 to
>> > -p3 update was like this, but the -p3 to -p4 update definitely did
>> > affect the kernel so a reboot was necessary.)

> I'm not confident that you are correct here.  See above.  Either p3-p4
> did not touch the kernel, or the OP has a legitimate question.

Interesting.  I based what I said on the text of the security advisories:


Specifically the 'Corrected:' section near the top.  I think it's clear
that FreeBSD-SA-11:04.compress (Corrected in 8.2-RELEASE-p3) doesn't
involve anything in the kernel but FreeBSD-SA-11:05.unix (Corrected in
8.2-RELEASE-p4) is entirely within the kernel code.  Except those
advisories aren't telling the whole story.

Lets look at r226023 in SVN.  That's the revision quoted in the 11.05
advisory.  The log for newvers.sh in


says that the patches in RELEASE-p4 were not actually the security fix
-- rather they fixed a problem revealed by the actual security fix,
which was applied simultaneously with the patches in
FreeBSD-SA-11:04.compress.  11.05 was committed in two blobs spanning
-p3 and -p4.

So, the good news is that if you have at least 8.2-RELEASE-p3 then you
don't have any (known) security holes.  However if you don't have the
patches in 8.2-RELEASE-p4 then linux apps run under emulation will crash
if they use unix domain sockets.  The flash plugin for FireFox being the
most prominent example as I recall.

Now the updates for -p4 certainly should have touched the kernel, and
certainly should have resulted in an updated uname string[*].  There
should also be a note about -p4 in /usr/src/UPDATING.  Starting to
wonder if the -p4 patches are actually available via freebsd-update(8)
-- could they have been omitted because it wasn't actually a security
fix?  Odd that no one would have commented in a whole month if so.



[*] strings /boot/kernel/kernel | grep '8\.2-'   should give the same
results as uname(1): if it's different then the running kernel is not
the same as the one on disk...

Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20111111/735ea7a1/signature.pgp

More information about the freebsd-questions mailing list