# A correct way to install security fixes



## eujedi (Nov 21, 2008)

*Correct way to install security fixes*

What is the correct way to install security patches for FreeBSD? For example i have FreeBSD 7.0. My supfile says RELENG_7_0. The question is: Do i have to buildworld or the security patches only affect kernel? Is it enough to build new kernel to be sure i'm safe? :f


----------



## anomie (Nov 21, 2008)

As I understand it, it'd be better to rebuild both world and kernel together. (This is the safer approach, IMO.) 

Although if you've used freebsd-update, you will notice that it only seems to update the kernel when there's a kernel-specific fix.


----------



## SirDice (Nov 21, 2008)

Read /usr/src/UPDATING. It should tell you what you need to do and what's required. 
Some kernel changes result in having to recompile the userland programs that use those kernel options.


----------



## eujedi (Nov 22, 2008)

Ok, i got it. Its safer to recompile everything...But still, as far as i understand security patches are only for kernel code. They can affect userland, but the patch itself is for the kernel. Am i right?


----------



## gelraen (Nov 22, 2008)

I think you shoud look to a list of files changed within security fix.  It may be enough to rebuild single kernel module or userland program w/o need of buildkernel/buildworld.


----------



## rliegh (Nov 22, 2008)

eujedi said:
			
		

> Ok, i got it. Its safer to recompile everything...But still, as far as i understand security patches are only for kernel code. They can affect userland, but the patch itself is for the kernel. Am i right?


They often effect userland too -there have been exploits in recent years involving compression libraries and graphics libraries -neither of which have anything to do with the kernel (and in the latter case would have been handled in ports)

To the best of my knowlege, the proper thing to do is to use cvs to update your src tree to your current release (eg RELENG_6_1 or what have you) and then rebuild the system following the instructions in the handbook.

it's time consuming and a hassle -but unlike Linux, FreeBSD (all BSDs, really) are built as a *system* so you can't just replace the parts-willy nilly. It's designed to be built and run as one coherent unit.

I had thought there was a binary patch mechanism for FreeBSD, but surfing around the faq, handbook and a couple of security advisories didn't yeild any results, so I may be remembering wrong.


----------



## anomie (Nov 22, 2008)

rliegh said:
			
		

> I had thought there was a binary patch mechanism for FreeBSD



That's freebsd-update (and it is now part of the base system).


----------



## danger@ (Nov 23, 2008)

Every Security Advisory issued by the FreeBSD Security Team contains detailed information about the affected files and instructions how to fix affected systems.

General speaking, if the issue is kernel-related, you will need to recompile the whole kernel. If it's related to some userland utilities, you will have to recompile/reinstall just those utilities.

Or just simply use freebsd-update for binary updates (something like Microsoft Update); however please note that it doesn't handle custom kernels and/or custom make.conf / src.conf options...


----------

