Hi Tomas, Tomas wrote on Thu, Aug 24, 2006 at 09:18:26AM +0300: > Han Boetes wrote: >> Tomas wrote:
> Thank you very much, I think that's the way I will do it :) Then do it very carefully! I see at least one trap you might stumble into... > It's quicker then compilling all the release... Probably; but it is also less standard and you should understand well what you are doing in order to be sure that the result is actually correct. >From your various posts, i suspect that you will be *much* safer if you install comp39.tgz on your production server, download the patch from the errate page and follow the instructions contained inside on the production server itself. >>> I was wondering is there any way to patch my httpd server >>> without a compiller? I don't want to add a compiller on >>> my production web server, but I need to patch httpd (security >>> fix 004). I use OpenBSD 3.9. >From this, i conclude you are running 3.9-release and intend to upgrade to 3.9-release + errata. >> cd /usr/src/usr.sbin/httpd >> cvs up AFAIK, Han is in the habit of running -current, even on production servers (which can be done, but is different from what you do). A bare `cvs update` will per default update to the HEAD revision, which corresponds to -current. When mixing -release and -current, compiling will likely fail. Even if, by some ill chance, compiling happens to succeed, the resulting binaries might fail to run. Besides, /usr/src/usr.sbin/httpd does not contain a CVS subdirectory by default. You might get a message like: [EMAIL PROTECTED] $ cvs up cvs update: in directory .: cvs [update aborted]: there is no version here; run 'cvs checkout' first Thus, you might need the proper `cvs checkout` first - which is probably easier and safer to get right if you do it for the whole tree at once, see http://www.openbsd.org/anoncvs.html: cd /usr cvs checkout -P -rOPENBSD_3_9 src Don't forget the -rOPENBSD_3_9 in any case. > make -f Makefile.bsd-wrapper obj cleandir all > sudo install -d fake/usr/{share/man/cat{1,8},lib/apache/modules} > sudo make -f Makefile.bsd-wrapper install DESTDIR=$PWD/fake > cd fake > tar czvvf ../patched_apache.tgz * > cd .. > sudo rm -rf fake You should probably postpone the last step until you are reasonably sure that your new httpd is actually working reliably. You might also want to add something like "2>&1 | tee make.log" etc. after the make statements in order to be able to look into any problems that you might run into. > Now distribute the patched_apache.tgz tarball to all clients and > install it with: > > sudo tar xzpf patched_apache.tgz -C / Note that after this, there is no way back unless you took additional steps to prepare a backup - or unless you construct another tarball containing the release versions of the same files as patched_apache.tgz by hand, starting from the release sets base??.tgz etc. on your CD. When leaving standard procedures, taking some additional precautions is generally a good idea unless you are *very* experienced (like Han, for example ;-). Yours, Ingo
