|
|
|
| Daemon News Ezine | BSD News | BSD Mall | BSD Support Forum | BSD Advocacy | BSD Updates |
Patching OpenBSDby Brad SchonhorstThis document covers how to apply patches to bring your OpenBSD system up to date. It is aimed at those new to OpenBSD who might need additional instructions from those found at the Official OpenBSD site. Updating your machine to the latest secure version should be done as soon as you finish installation. The patches fix any possible security holes that have been discovered since the release of the OS. It’s a good idea to subscribe to the security-announce mailing list so you can be notified when a new patch is released. The official list of patches released for your version of OpenBSD can be found at the Errata website. The latest point release will be displayed along with the patch list for previous versions. You will need to install the patches listed for all architectures as well as any listed for your platform. To update your system you will need two things. The source code for the binary you are updating (or all the source for the OS) and the patches. Source Code and Binaries?In this case, a binary refers to a file that is not human readable (not written in plain ASCII text) and only identifiable by the processor or program it was written for. In general, executable programs are often identified as binary files. Examples: the bsd kernel or httpd. Source code is human readable (debatable) in the sense that it is written in ASCI text using some type of programming language. (C, C++, etc) The source code is then compiled to create a binary version (or a version the computer knows how to handle.) To bring your OS up to date you are going to make changes to the source code and then compile new binaries, which will contain the new security fixes. The patches are scripts written for you to run, which make the changes to the source for you. Alright, lets get started. Installing the Source CodeFirst you need to get the source code so you can update it. You could only get the source code for just the specific binaries that need to be updated but in this example we will install the entire source from the official cd. For other methods(cvs or ftp) see the OpenBSD FAQ. Put in the correct cd (in 3.4 its disk 3) and mount the disk. You may want to poke around the disk and find the src tar ball. It should be called something like src.tar.gz $ sudo mount /dev/cd0c /mnt Change to the directory you want to store the source code. If you haven't already, you may want to add your account to the wsrc group (just add your account name in /etc/group.) $ cd /usr/src Now we will uncompress the source code on the cd and drop it in /usr/src $ sudo tar -xzvf /mnt/src.tar.gz This will take a while. All the source code for OpenBSD 3.4 is being written to your hard drive. When it finishes you can unmount and eject the cd. $ sudo umount /mnt
Get the PatchesNow we need to get the current set of patches. Again you can get these via ftp or cvs, lets use ftp. You can pick a mirror close to you to get the patches from. They should be in the pub/OpenBSD/patches directory. Make sure to get the set corresponding to the version of OpenBSD you are running (in this case 3.4.tar.gz.) Put them in your home directory. $ cd /home/bschonho Now you need to unpack them. $ tar -xzvf 3.4.tar.gz You will be left with a folder called 3.4 that contains the patches.
Apply the patchesApplying the patches is simply a matter of following the instructions at the top of each patch file. So if you look in the patch folder called 3.4 (or whatever version you installed) you should see a folder for the various architectures and one called common. All platforms install the common patches. Patches should be applied in order, and according to the Errata page, the first patch is documentation fix so we'll skip it and go on to number 2, which is a common patch for OpenSSL. I will leave a chunk of the output after some of the commands to give you an idea of what you should see. Lets take a look at what needs to happen. $ less 3.4/common/002_asn1.patch That’s all you need to read. The rest of the file is the script that will change the source code. You will just need to go through the steps above. Make sure you remember that the steps assume you are not using the particular shell for anything else between steps. So the command 'cd lib/libssl' assumes you are already in /usr/src. Lets go ahead and install this first patch. First we'll change directories to /usr/src where we installed the source code. $ cd /usr/src Now we can apply the patch. Probably a good idea to patch as root, so use sudo. Also you need the full path to the location of the patch you are installing. I put the patches in my home directory. $ sudo patch -p0 < /home/bschonho/3.4/common/002_asn1.patch That looks good! The source code has been patched. Now we can recompile the binaries for OpenSSL. Again make sure to use sudo if you are not logged in as root. Some of these commands may take quite a while(10 minutes or more) to finish depending on your machine. $ cd lib/libssl $ sudo make depend $ sudo make The new binaries were created now to install them over the old ones. $ sudo make install And that’s it! Make sure to go through all the patches on the list. You could just install the ones for services you use but as a general rule its better to install all of them. Some patches will instruct you to restart certain processes you may have running. Others instruct you to rebuild the kernel.
For clarification or corrections ---> bschonhorst@gmail.com |