Latest FreeBSD Security Patch

xy16644 · Aug 7, 2012

Today I see there was a new security patch released for FreeBSD to patch BIND. I have installed the patch as per the instruction on the web site (using the source install option).

Couple questions:

1) Is a reboot needed after installing this patch via source?

2) Normally when I upgrade my system via source I follow these steps:

Code:

* csup /root/supfile
* cd /usr/src
* make cleanworld && make cleandir
* make buildworld
* make buildkernel KERNCONF=ALPHA
* make installkernel KERNCONF=ALPHA
* shutdown -r now

Boot into single user mode:

* mount -u /
* mount -a -t ufs
* adjkerntz -i
* mergemaster -p
* cd /usr/src
* make installworld
* make delete-old
* mergemaster -i
* shutdown -r now

Is all this necessary when applying a single patch like I did today for BIND?

Savagedlight · Aug 8, 2012

You'd have to recompile & install the changes.
A patched source tree won't do you much good if you don't update the binaries.

uisge · Aug 8, 2012

Savagedlight said:
You'd have to recompile & install the changes.
A patched source tree won't do you much good if you don't update the binaries.

The mentioned web site instruction includes a "make install".

Thus, the question remains if a reboot is needed after patching bind. I'd say no, a restart of the named daemon should be sufficient. But I'm as unsure about that issue as the thread starter ...

(I will skip this security fix this time because I'm running nsd and unbound instead.)

SirDice · Aug 8, 2012

xy16644 said:
Is all this necessary when applying a single patch like I did today for BIND?

Read the advisory.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/dns
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

In this case a restart of BIND would suffice.

radmanly · Aug 11, 2012

I'm trying to apply this patch. Everything worked fine until I tried to run [CMD="make"]depend[/CMD] in /usr/src/usr.sbin/named. Make complained that it didn't know how to build libbind9.a. So, I went into the bind9 directory and ran make there. That worked. I had to repeat this for libisccc.a, libisccfg.a, libisca.a, and liblwres.a.

Now, when I run make in /usr/src/usr.sbin/named, I get:

Code:

cc: ../../lib/bind/bind9/libbind9.a: No such file or directory
cc: ../../lib/bind/isccc/libisccc.a: No such file or directory
cc: ../../lib/bind/isccfg/libisccfg.a: No such file or directory
cc: ../../lib/bind/isc/libisc.a: No such file or directory
cc: ../../lib/bind/lwres/liblwres.a: No such file or directory
*** Error code 1

Why is this?

phobis · Aug 14, 2012

Likely bad linking during compilation, retry at least 4 times to be quite sure it's not your make.conf. Remember to cleanworld && cleandeps also, if it still doesn't it could be a bug.

radmanly · Aug 14, 2012

Thanks for the reply. I've retried more than 4 times and it still doesn't work. I modified the makefile in /usr/src/usr.sbin/named to use absolute instead of relative paths. After that, the linker could find the libraries.

Now, it's complaining that there's no libdns.a. When I go into the dns directory and run make, nothing happens.

Am I the only one having these problems?

Savagedlight · Aug 15, 2012

May I suggest you do a cleanworld & buildworld (but not installworld) in /usr/src, then try to install the named binary?

lyubomirrussev · Aug 16, 2012

Hi radmanly,

You are not the only one who is experiencing this.
I have the same problem on several i386 servers running 8.3-RELEASE-p3.

FreeBSD gurus, please help!

radmanly · Aug 16, 2012

I don't know if rebuilding world is an option for you, lyubomirrussev, but it fixed the problem for me. After [CMD="make"]cleanworld[/CMD] & [CMD="make"]buildworld[/CMD], I rebooted to single-user mode and did a [CMD="make"]installworld[/CMD] and now have a brand new named. Rebuilding world to get a small named patch seems like overkill but it worked.

Thanks!

lyubomirrussev · Aug 17, 2012

Thanks for the solution, radmanly!

However in my humble opinion there is something wrong in the /usr/sbin/namedbuild dependencies which are requiring to rebuild the whole system via
# make cleanworld
# make buildworld
and
# make installworld

Latest FreeBSD Security Patch

Administrator