On Tue, Jul 29, 2008 at 11:41 AM, skogzort <[EMAIL PROTECTED]> wrote: > Is it necessary to recompile just to apply a security patch? > > Hello, > I know nothing/very little about OpenBSD or UNIX. I have been tasked with > updating our OpenBSD DNS server with a security fix (Vulnerability Note > VU#800113- Multiple DNS implementations vulnerable to cache poisoning). > > In order to do this it appears that I have to download the source code > re-compile the entire OS. Recompiling the OS seems to involve a lot of steps. > Before I continue to read through them all, I just want to confirm that it is > actually necessary to do all of this, simply to apply a security patch: > > Down load the tree.. > Pre load the tree.. > Build the Kernel.. > Build the userland.. > Etc. > > The only thing we use the server for is DNS. I don"t know what Flavor we are > running, since its on a production server I assume it will be * release or * > stable, either way from what I"ve read so far it looks like in order to apply > this security patch I will have to update it to * stable. > > Is it true that the only way to apply this patch is to recompile the entire > OS, and go through all the steps above? I"m only familiar with Windows, where > you just push a button to apply a security patch and you don"t even have to > reboot the server, so I was thinking that I may be misunderstanding what I"m > reading. >
OpenBSD is mostly designed as a monolithic kernel. It's a very small kernel, only a couple of megs large, but it is one single program so yes, to apply a security patch to the kernel you must recompile the entire kernel. You may be able to get away without recompiling userland if the patch is only affecting kernel internals, but just to be safe you probably should do userland too. It's not actually that hard to recompile, the instructions are very clear -- but I do know the feeling that you have, I only finally worked myself up to compiling kernels. Just take the leap of faith and in a few hours you'll have a new secure system. Hmm, though if you don't know much about Unix, make sure to take a backup of /etc first, though, just in case you trash your DNS server. -Nick
