Solved Security Advisory question

Hello,

I read through the below, but have a few questions
http://docs.freebsd.org/doc/9.2-RELEASE/share/doc/freebsd/handbook/security-advisories.html

to help explain and understand advisories. in regards to this specific one:
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:25.ntp.asc

I'm trying to figure out the corrected lines:

Code:
Category: contrib
Module: ntp
Announced: 2015-10-26, revised on 2015-11-04
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE)
                 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7)

Does the stable/10 mean that it was fixed on 10-26 for the 10.0 series? if so, then what is the 10.2?

Thanks for any help. It also says that the second revision of the patch was released on 11-04 so I think the 10-26 line is irrelevant?

Thanks.
 
stable/10 means the patch was incorporated into the source tree for 10-STABLE on that date. stable/10 is the development tree for the next 10.x point release (10.3). If you aren't following the -STABLE branch, then you can ignore that line.

releng/10.2 refers to the Security Fixes branch of the source tree, that can be used to upgrade 10.2 systems to all the patch releases (10.2-p1, 10.2-p2, 10.2-p3, etc). This is the branch you should be following if you have 10.2 installed; and is what you get when you use freebsd-update(8) to keep a 10.2 system up-to-date.
 
Thanks everyone, I think I follow, but want to make sure. :)

Per this statement:
stable/10 means the patch was incorporated into the source tree for 10-STABLE on that date. stable/10 is the development tree for the next 10.x point release (10.3). If you aren't following the -STABLE branch, then you can ignore that line.

This means that it was incorporated into 10.x branch, but if you are running 10.0, you have to upgrade to 10.2-stable to get the benefits of the security patch?
 
FreeBSD 10.0 was a release version. It became end-of-life just after 10.1-RELEASE came out. Getting it up to date would involve either upgrading to 10.1-RELEASE, 10.2-RELEASE or 10-STABLE.
 
Thanks SirDice,

I guess what I was asking is that if someone was running 10.0 then they will not have the security patch? While it sounds like upgrading to the newest edition (while usually best) will fix the issue, I'm guessing I want to know if 10.0 itself has the patch.

The other thing is this: (taken from https://www.freebsd.org/security/advisories/FreeBSD-SA-15:25.ntp.asc)

Code:
Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE)
2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7)

v1.0 2015-10-26 Initial release.
v1.1 2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8)
utilities and lack of RAWDCF reference clock support in ntpd(8).

So unless I'm completely off base, I understand this one of two ways:
* 10.0 has v1.0 of the patch but not 1.1?
* 10.0 has no patches, but have to upgrade to 10.2 to patch this problem.

But either way, it sounds like upgrading to 10.2 solves the problem completely.

Sorry if I am not making sense.
 
OK,

I re-read everything, and think I understand now... stable/10 just means the the development branch... and won't be incorporated (as stated) into the next stable 'edition'... but if I am running 10.0 release (as an example). I am unpatched? and I would have to updated it to 10.1-release or higher to get the hole patched? If so, I think I understand now.
 
Correct.

releng/10.0 is the branch that includes security fixes for the 10.0 version of FreeBSD. However, 10.0 has been end-of-lifed and is no longer getting security fixes. This branch is effectively closed. The latest fixes, like this NTP issue, are not included here. If you are running 10.0, you need to upgrade to a newer version of FreeBSD to get security fixes.

releng/10.1 is the branch that includes security fixes for the 10.1 version of FreeBSD. I'm not positive, but I think this branch has also been EoL'd / closed. The latest fixes, like this NTP issue, are not included here. If you are running 10.1, you need to upgrade to a newer version of FreeBSD to get security fixes.

releng/10.2 is the branch that includes security fixes for the 10.2 version of FreeBSD, including this NTP fix. If you are running FreeBSD 10.2, then you can run freebsd-update(8) to update your installation to get the latest fixes.

stable/10 is the development branch. New features and bug fixes go into here. And eventually, this will be branched into a new releng/10.3 that corresponds with version 10.3 of FreeBSD. Some people update their installs to follow the -STABLE branch so they can get the latest fixes and features right away. The devs try really hard to keep this branch usable at all times, but there will occasionally be times when things break, so it's not recommended unless you know what you are doing. :)
 
Thanks Everyone ... as soon as I figure out how to close/assign thanks(or points)... I will get it closed.
 
Back
Top