Keeping FreeBSD updated
Your base operating system doesn't need much updating. The RELEASE branch only gets an occasional security update or a bug fix now and then. This guide will teach you how to be alerted when there is an updated and how to apply it.
Monitoring for updates
There are at least four ways you can find out about new updates to the operating system:
- On FreeBSD's home page, there are two sections called SECURITY ADVISORIES and ERRATA NOTICES respectively. They list new security updates and bug fixes and you can monitor them manually there. Both current and older security advisories are also listed at http://security.freebsd.org/advisories.html
- FreeBSD.org provide RSS feeds to these updates. If you have an RSS reader you can subscribe to http://www.freebsd.org/security/rss.xml and http://www.freebsd.org/security/errata.xml to have news about new updates automatically monitored for you. This is a very convenient way and the method I use myself.
- If you prefer mail, you can subscribe to freebsd-announce which will list both security advisories and errata notices as well as many other announcements. If you prefer to see only the security advisories you can subscribe to freebsd-security-notifications instead.
- Updates will also be announced in FreeBSD's support forums.
Applying an update
Let's have a look at this security advisory concerning Bind. The advisories always consist of seven sections named; I. Background, II. Problem Description, III. Impact, IV. Workaround, V. Solution, VI. Correction Details and VII. References. Even if the advisory describes a feature you're not using currently, it's probably a good idea to update anyway. Being consistent with this is the only way to feel confident your system is secure whenever you want to use a new feature. Depending on your personal interest in the gory details you can either chose to read or skip sections I to IV but section V on the other hand describes step by step how to apply the update. Since you have been taught to always compile your source code you can either download the patch file itself or update your source tree through cvs and I suggest you use cvs. Earlier you created a supfile that updates both FreeBSD's source code and the Ports collection. Let's make another one that only updates FreeBSD's source code.
# cp /usr/supfile /usr/release-supfile
Edit /usr/release/supfile and remove this line:
Save the file and you now have a supfile that only updates the source code of the operating system whenever you type these commands:
# cd /usr # csup release-supfile
When the update of the source code has finished, you must follow the instructions in section V. b) of the advisory to actually compile the new code and install it. However, since your source code is now up-to-date through cvs, there's no patch to apply so you have to skip the following two rows in that description.
# cd /usr/src # patch < /path/to/patch
The remaining commands, though, should be followed in every detail. They will always follow the same pattern but point to different folders depending on the affected component. In this example they look like this:
# cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart
There's no need to reboot your router after this. In Unix you can replace almost any system software on-the-fly. The only exception right now is the kernel.