忽然想到一个问题，FreeBSD如何打补丁？

Cyberman.Wu

对于ports可以用portaudit来检查，用portupgrade来更新，那么对于Base系统呢？

前一段时间装了一个FreeBSD 7.0-Release。今天看了一下它的SA，发现一个SSH的：

1. 
   
2. FreeBSD-SA-08:05.openssh                                    Security Advisory
   
3.                                                           The FreeBSD Project
   
4. 
   
5. Topic:          OpenSSH X11-forwarding privilege escalation
   
6. 
   
7. Category:       contrib
   
8. Module:         openssh
   
9. Announced:      2008-04-17
   
10. Credits:        Timo Juhani Lindfors
    
11. Affects:        All supported versions of FreeBSD
    
12. Corrected:      2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE)
    
13.                 2008-04-16 23:58:52 UTC (RELENG_7_0, 7.0-RELEASE-p1)
    
14.                 2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE)
    
15.                 2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2)
    
16.                 2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12)
    
17.                 2008-04-17 00:00:28 UTC (RELENG_6_1, 6.1-RELEASE-p24)
    
18.                 2008-04-17 00:00:41 UTC (RELENG_5, 5.5-STABLE)
    
19.                 2008-04-17 00:00:54 UTC (RELENG_5_5, 5.5-RELEASE-p20)
    
20. CVE Name:       CVE-2008-1483
    
21. 
    

复制代码

这个p1应该如何升级？当然服务器上是不装X的，也不用X11-forwarding，所以问题不大，但还是从现在就开始了解起来。

uutorok

freebsd-update

剑心通明

make world

doctorjxd

安全通告上有详细的说明。 命令写得很详细。

一个办法是升级代码到最新的stable版本，然后编译。

另一个办法是对源代码patch后编译部分代码。这个办法比较快。



比如最新的 FreeBSD-SA-08:05.openssh 中

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7-STABLE,
or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, RELENG_5_5
security branch dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 5.5, 6.1,
6.2, 6.3, and 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch
# fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssh
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.sbin/sshd
# make obj && make depend && make && make install
# /etc/rc.d/sshd restart

[ 本帖最后由 doctorjxd 于 2008-5-19 19:03 编辑 ]