Tom Carpenter tomc at bio.umass.edu
Mon Nov 14 16:11:35 UTC 2011

Do you anticipate the release of an fix/update that will allow
systems to be patched to -p4 or later via freebsd-update?

-Tom Carpenter

On 11/14/2011 05:25 AM, Evalyn wrote:
> It touches the kernel but you need to do make builkernel/make installkernel
> before uname -a shows "8.2-RELEASE-p4".
> Regards,
> Evalyn
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Matthew Seaman
> Sent: 12 November 2011 02:03
> To: Robert Simmons
> Cc: freebsd-questions at freebsd.org
> Subject: Re: 8.2-RELEASE-p4
> On 11/11/2011 21:03, Robert Simmons wrote:
>>> Note that if a security update is just to some userland programs,
>>>> freebsd-update won't touch the OS kernel, so the reported version
>>>> number doesn't change even though the update has been applied.  In
>>>> these sort of cases, it's not necessary to reboot, just to restart
>>>> any long running processes (if any) affected by the update.  The
>>>> security advisory should have more detailed instructions about
>>>> exactly what to do.  (The -p2 to
>>>> -p3 update was like this, but the -p3 to -p4 update definitely did
>>>> affect the kernel so a reboot was necessary.)
>> I'm not confident that you are correct here.  See above.  Either p3-p4
>> did not touch the kernel, or the OP has a legitimate question.
> Interesting.  I based what I said on the text of the security advisories:
> http://security.freebsd.org/advisories/FreeBSD-SA-11:04.compress.asc
> http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc
> Specifically the 'Corrected:' section near the top.  I think it's clear that
> FreeBSD-SA-11:04.compress (Corrected in 8.2-RELEASE-p3) doesn't involve
> anything in the kernel but FreeBSD-SA-11:05.unix (Corrected in
> 8.2-RELEASE-p4) is entirely within the kernel code.  Except those advisories
> aren't telling the whole story.
> Lets look at r226023 in SVN.  That's the revision quoted in the 11.05
> advisory.  The log for newvers.sh in
> http://svnweb.freebsd.org/base/releng/8.2/sys/conf/newvers.sh?view=log&pathr
> ev=226023
> says that the patches in RELEASE-p4 were not actually the security fix
> -- rather they fixed a problem revealed by the actual security fix, which
> was applied simultaneously with the patches in FreeBSD-SA-11:04.compress.
> 11.05 was committed in two blobs spanning
> -p3 and -p4.
> So, the good news is that if you have at least 8.2-RELEASE-p3 then you don't
> have any (known) security holes.  However if you don't have the patches in
> 8.2-RELEASE-p4 then linux apps run under emulation will crash if they use
> unix domain sockets.  The flash plugin for FireFox being the most prominent
> example as I recall.
> Now the updates for -p4 certainly should have touched the kernel, and
> certainly should have resulted in an updated uname string[*].  There should
> also be a note about -p4 in /usr/src/UPDATING.  Starting to wonder if the
> -p4 patches are actually available via freebsd-update(8)
> -- could they have been omitted because it wasn't actually a security fix?
> Odd that no one would have commented in a whole month if so.
> 	Cheers,
> 	Matthew
> [*] strings /boot/kernel/kernel | grep '8\.2-'   should give the same
> results as uname(1): if it's different then the running kernel is not the
> same as the one on disk...

More information about the freebsd-questions mailing list