Latest FreeBSD Security Patch

xy16644 · #1 August 7th, 2012, 18:13

Today I see there was a new security patch released for FreeBSD to patch BIND. I have installed the patch as per the instruction on the web site (using the source install option).

Couple questions:

1) Is a reboot needed after installing this patch via source?

2) Normally when I upgrade my system via source I follow these steps:

Code:

* csup /root/supfile
* cd /usr/src
* make cleanworld && make cleandir
* make buildworld
* make buildkernel KERNCONF=ALPHA
* make installkernel KERNCONF=ALPHA
* shutdown -r now

Boot into single user mode:

* mount -u /
* mount -a -t ufs
* adjkerntz -i
* mergemaster -p
* cd /usr/src
* make installworld
* make delete-old
* mergemaster -i
* shutdown -r now

Is all this necessary when applying a single patch like I did today for BIND?

Savagedlight · #2 August 8th, 2012, 01:53

You'd have to recompile & install the changes.
A patched source tree won't do you much good if you don't update the binaries.

uisge · #3 August 8th, 2012, 07:08

Quote:

Originally Posted by Savagedlight

You'd have to recompile & install the changes.
A patched source tree won't do you much good if you don't update the binaries.

The mentioned web site instruction includes a "make install".

Thus, the question remains if a reboot is needed after patching bind. I'd say no, a restart of the named daemon should be sufficient. But I'm as unsure about that issue as the thread starter ...

(I will skip this security fix this time because I'm running nsd and unbound instead.)

**SirDice** · #4 August 8th, 2012, 07:48

Quote:

Originally Posted by xy16644

Is all this necessary when applying a single patch like I did today for BIND?

Read the advisory.

Quote:

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch
# fetch http://security.FreeBSD.org/patches/...bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/dns
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

In this case a restart of BIND would suffice.

radmanly · #5 August 11th, 2012, 13:57

I'm trying to apply this patch. Everything worked fine until I tried to run make depend in /usr/src/usr.sbin/named. Make complained that it didn't know how to build libbind9.a. So, I went into the bind9 directory and ran make there. That worked. I had to repeat this for libisccc.a, libisccfg.a, libisca.a, and liblwres.a.

Now, when I run make in /usr/src/usr.sbin/named, I get:

Code:

cc: ../../lib/bind/bind9/libbind9.a: No such file or directory
cc: ../../lib/bind/isccc/libisccc.a: No such file or directory
cc: ../../lib/bind/isccfg/libisccfg.a: No such file or directory
cc: ../../lib/bind/isc/libisc.a: No such file or directory
cc: ../../lib/bind/lwres/liblwres.a: No such file or directory
*** Error code 1

Why is this?

phobis · #6 August 14th, 2012, 04:38

Likely bad linking during compilation, retry at least 4 times to be quite sure it's not your make.conf. Remember to cleanworld && cleandeps also, if it still doesn't it could be a bug.

radmanly · #7 August 14th, 2012, 14:48

Thanks for the reply. I've retried more than 4 times and it still doesn't work. I modified the makefile in /usr/src/usr.sbin/named to use absolute instead of relative paths. After that, the linker could find the libraries.

Now, it's complaining that there's no libdns.a. When I go into the dns directory and run make, nothing happens.

Am I the only one having these problems?

Savagedlight · #8 August 15th, 2012, 07:37

May I suggest you do a cleanworld & buildworld (but not installworld) in /usr/src, then try to install the named binary?

lyubomirrussev · #9 August 16th, 2012, 10:46

Hi radmanly,

You are not the only one who is experiencing this.
I have the same problem on several i386 servers running 8.3-RELEASE-p3.

FreeBSD gurus, please help!

radmanly · #10 August 16th, 2012, 13:04

I don't know if rebuilding world is an option for you, lyubomirrussev, but it fixed the problem for me. After make cleanworld & make buildworld, I rebooted to single-user mode and did a make installworld and now have a brand new named. Rebuilding world to get a small named patch seems like overkill but it worked.

Thanks!

lyubomirrussev · #11 August 17th, 2012, 06:46

Thanks for the solution, radmanly!

However in my humble opinion there is something wrong in the /usr/sbin/namedbuild dependencies which are requiring to rebuild the whole system via
# make cleanworld
# make buildworld
and
# make installworld

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Can the latest FreeBSD work as Xen Dom0 ?	JohnFu	General	9	October 13th, 2012 20:25
skype and flashplayer does not work after applying security patch	hedgehog	Installing & Upgrading	4	October 5th, 2011 10:40
[Solved] Latest patch doesn't change uname?	silverglade00	Installing & Upgrading	5	May 11th, 2011 23:19
Something awfull with latest mysql on latest FreeBSD	aga	Web & Network Services	1	October 22nd, 2009 17:37
djbdns security breach and patch	ctaranotte	Installation and Maintenance of FreeBSD Ports or Packages	0	March 6th, 2009 12:37

The Following User Says Thank You to Savagedlight For This Useful Post:
radmanly (August 16th, 2012)