# Curiosity: How do all bugfixes in 9.1 find their way into 9.2?



## ShelLuser (Oct 2, 2013)

Hi gang!

Just like everyone else I'm also quite excited about the release of FreeBSD 9.2-RELEASE and in anticipation of what is to come already managed to upgrade a (dummy / test) VPS system from FreeBSD 9.1-RELEASE-p7 to 9.2-RELEASE using freebsd-update.

However, for my main servers I'm planning to fully utilize the source tree for both the kernel as well as the userland utilities. At least that's the idea right now, I'm still studying and carefully setting up a plan of action (considering that I have at least 8 months to perform the upgrade I'm in no hurry).

Now, I have both source tree's on my main server and started to look into UPDATING. Here I noticed some entries from the 9.1 release (/usr/src/UPDATING) which aren't present in the 9.2 release (/usr/src92/UPDATING). For example:


```
20130726:       p5      FreeBSD-SA-13:07.bind FreeBSD-SA-13:08.nfsserver
        Fix Denial of Service vulnerability in named(8). [13]

        Fix a bug that allows remote client bypass the normal
        access checks when when -network or -host restrictions are
        used at the same time with -mapall. [13]

and

20130402:       p2      FreeBSD-SA-13:03.openssl FreeBSD-SA-13:04.bind
        Fix multiple vulnerabilities in OpenSSL.

        Fix Denial of Service vulnerability in named(8).
```
Whereas other entries are present in both files.

Like the subjects said I'm a bit curious. I assume that these fixes have also found their way into the new release, but I'm wondering why they're not mentioned in the UPDATING file?

My assumption at this time is because these both concern 'external' programs which have become part of the base system. I conclude as much because when looking at the entries of the 9.2 release you'll notice that all of them (looking at the entries after the 9.1 release) apply to the system itself.

For example; updates to tools such as hastctl or gdb can be considered updates to the base system. Just like updates to the ZFS filesystem (20130605; the addition of ZFS TRIM support).

Thanks in advance for any comments.


----------



## ondra_knezour (Oct 2, 2013)

Availability of the security patches are mentioned in the Security Advisory with dates and revisions given.

If you will go through commit messages, you will see that this fix is mentioned in the 9-STABLE /usr/src/UPDATING as



> 20130429:
> Fix a bug that allows NFS clients to issue READDIR on files.



Something was fixed with a short note in development and later backported to production (security patches for the security supported releases) with appropriate comment.


----------



## SirDice (Oct 2, 2013)

Releases are cut from the -STABLE branches. The -STABLE branches have bug and security fixes and occasionally new features. But why the security issues aren't mentioned in -STABLE's UPDATING is a good question.


----------



## kpa (Oct 2, 2013)

The security advisories should be treated as the official source I think, UPDATING should have the same information but it's updated manually and the procedure is not foolproof.


----------

