Re: Is there any way to know if userland is patched?

From: Julian Elischer (julian_at_elischer.org)
Date: 11/10/04

  • Next message: John Webster: "Re: Firewall rules that discriminate by connection duration"
    Date: Wed, 10 Nov 2004 09:45:00 -0800
    To: Xin LI <delphij@frontfree.net>
    
    

    Xin LI wrote:
    > Dear folks,
    >
    > I'm recently investigating large scale deployment and upgrading FreeBSD
    > RELEASE. It's our tradition to bump "RELEASE-pN" after a security patch
    > is applied, however, it seems that there is less method to determine
    > whether the userland is patched, which is somewhat important for large
    > site managements.
    >
    > So is "uname -sr" the only way to differencate the patchlevel of a security
    > branch? I have read Colin's freebsd-update script and to my best of
    > knowledge this is the only way (and, on condition that we have re-compiled
    > the kernel and installed it, and reboot'ed). Given the nature of a security
    > or errata branch, we can expect that no API/ABI changes will occour and it
    > should be safe to do make installworld/installkernel in any order, and bumping
    > patchlevel does not mean that a reboot must be done.
    >
    > Please correct me if I was wrong, thanks.

    I upgrade systems by creating packages which contain all upgraded files
    I have a set of makefiles etc. checked into my local CVS tree that check out
    a freeBSD tree at a given revision and build it (withlocal patches added)
    and then extracts out fies according to a list I supply. On completion I check
    the list in too, so I can theoretically recreate that patch..

    I use the package system to keep track of which packages are loaded onto a
    system, and newer upgrade packages always have earlier ones as dependencies..

    >
    > Cheers,

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: John Webster: "Re: Firewall rules that discriminate by connection duration"

    Relevant Pages

    • Re: Still having trouble with package upgrades
      ... binary packages and upgrades on FreeBSD. ... There is no real reason why FreeBSD should not provide a facility for users ... with a simple upgrade command. ... Especially considering its a good design practice for kernel to provide ...
      (freebsd-questions)
    • Re: Still having trouble with package upgrades
      ... binary packages and upgrades on FreeBSD. ... There is no real reason why FreeBSD should not provide a facility for users ... with a simple upgrade command. ... Especially considering its a good design practice for kernel to provide ...
      (freebsd-questions)
    • Re: Still having trouble with package upgrades
      ... binary packages and upgrades on FreeBSD. ... There is no real reason why FreeBSD should not provide a facility for users ... with a simple upgrade command. ... As for the security issues of downloading binary packages. ...
      (freebsd-questions)
    • RE: Still having trouble with package upgrades
      ... ports and packages system. ... There is no real reason why FreeBSD should not provide a facility fo r users ... with a simple upgrade command. ... kernel and userland programs have to be upgraded at the same= time. ...
      (freebsd-questions)
    • Re: Is there any way to know if userland is patched?
      ... > I'm recently investigating large scale deployment and upgrading FreeBSD ... I upgrade systems by creating packages which contain all upgraded files ... I have a set of makefiles etc. checked into my local CVS tree that check out ... and newer upgrade packages always have earlier ones as dependencies.. ...
      (freebsd-hackers)