View Single Post
  #5   (View Single Post)  
Old 30th September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by zazen View Post
...as an example this is the output of the make install of the 001 patch for 4.7
Two more points to consider.
  • Not to contradict my earlier message, but there are multiple ways of administering systems -- especially those which are single (or minimally) purposed like firewalls. Systems which may not have the most aggressive complement of hardware because their designated purpose doesn't require it, so building on these environments can be painfully slow.

    One thing you might consider is to build a fully patched release (see Section 5.4 of the FAQ...) on your beefiest hardware & simply install/upgrade the resulting kernel(s) + file sets on every other machine which runs OpenBSD. Otherwise, if you have 3 computers running OpenBSD, you will end up patching & rebuilding all three -- which can consume a lot of time & duplicated effort.

    Of course, if you only have one OpenBSD system, this kind of scaled administration doesn't work.
  • As for the voluminous output which is typically seen upon rebuilding, that is to be expected given the complexity of building kernels alone or kernels + userland. After all, the operating system comprises thousands of files. You will get used to it with practice & repetition.

    As for specifics, the errata page states for patch #1:
    Quote:
    When decrypting packets, the internal decryption functions were not paranoid enough in checking for underruns, which could potentially lead to crashes.
    The comment at the top of patch #1 states:
    Code:
    Apply by doing:
    	cd /usr/src
    	patch -p0 < 001_kerberos.patch
    
    Rebuild and install the Kerberos 5 library:
    	cd lib/libkrb5
    	make obj
    	make depend
    	make
    	make install
    
    And then rebuild and install the Kerberos 5 KDC:
    	cd ../../kerberosV/libexec/kdc
    	make obj
    	make depend
    	make
    	make install
    So, there were issues found with the Kerberos library. If more details are needed, the source is available, & the patch file itself is a diff(1) of the necessary changes. Looking at the related manpages can also be educational. Beginning with the kerberos(8) manpage would be a good start to gain context.
Reply With Quote