NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2003-03

Re: Does the patching procedure work?

From: Jacques A. Vidrine (nectarFreeBSD.org)
Date: Wed Mar 05 2003 - 13:09:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 05, 2003 at 10:18:03AM -0700, Brett Glass wrote:
> It turns out that it was 4.5-RELEASE-p4, just a sliver before
> 4.6. (The system had been patched for later problems rather
> than upgraded, because it's a production machine.) Quite recent.
> (You don't want to change point versions constantly on
> production machines.)

If this machine had been kept up-to-date (i.e. was 4.5-RELEASE-p22 or
more recent, or had the previous sendmail bug patched), then the patch
would probably have worked out.

> I was lucky I noticed the problem. The messages just rolled
> by, and if I hadn't scrolled back I would not have caught
> them. I'll bet some folks missed this and are unprotected.
> (The hunks that are rejected are important, but the message
> about dropping the comments is in one of the hunks that's
> accepted, so it looks as if the patch took!)

Lucky? Hrmpf, a system administrator has to be careful. Actually
examining the output of any given command that one runs is pretty much
a requirement if you want to know if it succeeded or not... as is
checking the exit code.

But here's a tip to make that easier: use the `-s' and `-C' flags with
patch. See the man page.

> What I have done on that machine is install the 4.6 binary,
> which seems to run just fine on 4.5 and even 4.4 (though
> you may need to add the misssing group).

Cool.

> Patches should be provided back to 4.4, IMHO.

Um, in this case, they were provided all the way back to 3.x.

However, in general, the table at
<URL: http://www.freebsd.org/security/#adv>
is what you can count on.

I will gladly extend the lifetime of one branch one extra year for
each US$25,000 I receive.

Cheers,
--
Jacques A. Vidrine <nectarcelabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrineverio.net . nectarFreeBSD.org . nectarkth.se

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]