Friday, February 06, 2004

Using Binary Security Updates for FreeBSD and OpenBSD

A few security advisories for FreeBSD and OpenBSD were announced. The latest for FreeBSD involves the System V Shared Memory interface. If you're running a GENERIC kernel you may be able to use Colin Percival's binary updates, like this:

bourque# uname -a
FreeBSD bourque.taosecurity.com 4.9-RELEASE FreeBSD 4.9-RELEASE #0:
Mon Oct 27 17:51:09 GMT 2003 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC
i386
bourque# freebsd-update -v fetch
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/kernel...
/kernel.GENERIC...
Updates fetched

To install these updates, run: '/usr/local/sbin/freebsd-update install'
bourque# freebsd-update -v install
Backing up /kernel...
Installing new /kernel...
Backing up /kernel.GENERIC...
Installing new /kernel.GENERIC...
...reboot...
-bash-2.05b$ uname -a
FreeBSD bourque.taosecurity.com 4.9-SECURITY FreeBSD 4.9-SECURITY #0:
Thu Feb 5 04:20:23 GMT 2004 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

Here's what updating my FreeBSD 5.2 REL notebook looked like:

orr# uname -a
FreeBSD orr.taosecurity.com 5.2-RELEASE FreeBSD 5.2-RELEASE #0:
Sun Jan 11 04:21:45 GMT 2004 root@wv1u.btc.adaptec.com:/usr/obj/usr/src/sys/GENERIC i386
orr# freebsd-update -v fetch
Fetching updates signature...
Fetching updates...
Fetching hash list signature...
Fetching hash list...
Examining local system...
Fetching updates...
/boot/kernel/kernel...
/boot/kernel/sysvshm.ko...
Updates fetched

To install these updates, run: '/usr/local/sbin/freebsd-update install'
orr# freebsd-update -v install
Backing up /boot/kernel/kernel...
Installing new /boot/kernel/kernel...
Backing up /boot/kernel/sysvshm.ko...
Installing new /boot/kernel/sysvshm.ko...
...reboot...
bash-2.05b$ uname -a
FreeBSD orr.taosecurity.com 5.2-SECURITY FreeBSD 5.2-SECURITY #0:
Thu Feb 5 10:24:52 GMT 2004 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

Two OpenBSD advisories have been posted in the last month. The binary patch from binpatch addresses the message handling flaws in isakmpd(8). There is no binary patch posted yet for the reference counting bug in shmat(2) announced yesterday.

bash-2.05b# wget http://www.openbsd.org.mx/pub/binpatch/3.4/i386/binpatch-3.4-i386-009.tgz
--09:07:55-- http://www.openbsd.org.mx/pub/binpatch/3.4/i386/binpatch-3.4-i386-009.tgz
=> `binpatch-3.4-i386-009.tgz'
Resolving www.openbsd.org.mx... done.
Connecting to www.openbsd.org.mx[208.33.29.188]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 480,408 [text/plain]

100%[====================================>] 480,408 30.74K/s ETA 00:00

09:08:11 (30.74 KB/s) - `binpatch-3.4-i386-009.tgz' saved [480408/480408]
bash-2.05b# ls -al
total 500
drwxr-xr-x 2 root wheel 512 Feb 6 09:08 .
drwxr-xr-x 4 root wheel 512 Feb 6 09:07 ..
-rw-r--r-- 1 root wheel 480408 Jan 15 17:03 binpatch-3.4-i386-009.tgz
bash-2.05b#
bash-2.05b# md5 binpatch-3.4-i386-009.tgz
MD5 (binpatch-3.4-i386-009.tgz) = 44260e1d04a687f67ae9e0e928c447c8
bash-2.05b# tar -xzvpf binpatch-3.4-i386-009.tgz -C /
./sbin/isakmpd
./usr/share/ipsec/isakmpd/VPN-3way-template.conf
./usr/share/ipsec/isakmpd/VPN-east.conf
./usr/share/ipsec/isakmpd/VPN-west.conf
./usr/share/ipsec/isakmpd/policy
./usr/share/ipsec/isakmpd/singlehost-east.conf
./usr/share/ipsec/isakmpd/singlehost-east.gdb
./usr/share/ipsec/isakmpd/singlehost-setup.sh
./usr/share/ipsec/isakmpd/singlehost-west.conf
./usr/share/ipsec/isakmpd/singlehost-west.gdb
...No reboot needed as this does not affect the kernel...

These sorts of binary upgrades are a good alternative for those running stock systems on slow hardware or in constrained environments (e.g., lack of compiler).