Keeping FreeBSD updated


Jump to: navigation, search



Your base operating system doesn't need much updating. The RELEASE branch only gets an occasional security update or a bug fix now and then. This guide will teach you how to be alerted when there is an updated and how to apply it.

Note: Make sure you know the EoL (End of Life) of the FreeBSD version you're using. Most releases only receive updates for 12 months and then you'll have to upgrade FreeBSD to a later release to be safe. Detailed information can be found here.


Monitoring for updates

There are at least four ways you can find out about new updates to the operating system:

Applying an update

Let's have a look at this security advisory concerning Bind. The advisories always consist of seven sections named; I. Background, II. Problem Description, III. Impact, IV. Workaround, V. Solution, VI. Correction Details and VII. References. Even if the advisory describes a feature you're not using currently, it's probably a good idea to update anyway. Being consistent with this is the only way to feel confident your system is secure whenever you want to use a new feature. Depending on your personal interest in the gory details you can either chose to read or skip sections I to IV but section V on the other hand describes step by step how to apply the update. Since you have been taught to always compile your source code you can either download the patch file itself or update your source tree through cvs and I suggest you use cvs. Earlier you created a supfile that updates both FreeBSD's source code and the Ports collection. Let's make another one that only updates FreeBSD's source code.

# cp /usr/supfile /usr/release-supfile

Edit /usr/release/supfile and remove this line:

ports-all tag=.

Save the file and you now have a supfile that only updates the source code of the operating system whenever you type these commands:

# cd /usr
# csup release-supfile

When the update of the source code has finished, you must follow the instructions in section V. b) of the advisory to actually compile the new code and install it. However, since your source code is now up-to-date through cvs, there's no patch to apply so you have to skip the following two rows in that description.

# cd /usr/src
# patch < /path/to/patch

The remaining commands, though, should be followed in every detail. They will always follow the same pattern but point to different folders depending on the affected component. In this example they look like this:

# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

There's no need to reboot your router after this. In Unix you can replace almost any system software on-the-fly. The only exception right now is the kernel.

Personal tools