OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: franco on January 15, 2016, 12:21:33 pm

Title: [CALL FOR TESTING] FreeBSD advisories/errata and update response times
Post by: franco on January 15, 2016, 12:21:33 pm

Hi guys,

Yesterday, FreeBSD released a number of patches for its supported releases. The list is quite extensive:

https://www.freebsd.org/security/advisories/FreeBSD-SA-16:01.sctp.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:02.ntp.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:03.linux.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:04.linux.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:05.tcp.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:07.openssh.asc
https://www.freebsd.org/security/advisories/FreeBSD-EN-16:01.filemon.asc
https://www.freebsd.org/security/advisories/FreeBSD-EN-16:02.pf.asc
https://www.freebsd.org/security/advisories/FreeBSD-EN-16:03.yplib.asc

For us, it always yields the question: how quickly do we need to respond? The answer is obvious: as quick as we can. But the line is blurry when operating within a larger update infrastructure, compile time for the new operating system core, wanting to test everything before its shipped, crafting patches notes and general code review.

To that end, 15.7.24 was released with a better way of base/kernel update verification that allows us to deploy verified updates out of band. We added a cryptographic fingerprint to all update files, which is automatically downloaded along with the update and verified locally.

All of this is a work in progress and will undergo further reengineering so that the process can be automated at some point during the 16.1 series, but we're not there just yet. And now, without further ado...

IT IS NOT RECOMMENDED TO CONTINUE READING WITHOUT HAVING UPGRADED TO 15.7.24 FIRST.

To update to the new 15.7.25 kernel and base immediately, you can run these commands manually:

# opnsense-update -bkr 15.7.25 && /usr/local/etc/rc.reboot

After reboot (which is really important, don't skip it), your FreeBSD should report 10.1-RELEASE-p27.

Please let us know how that works for you.

If you have any questions feel free to ask. :)


Enjoy,
Franco

Title: Re: [CALL FOR TESTING] FreeBSD advisories/errata and update response times
Post by: phoenix on January 15, 2016, 02:04:20 pm

Hi Franco

So far, so good - the update went OK and I'll keep an eye on my system to see if there's anything other than the normal smooth running. :)

Title: Re: [CALL FOR TESTING] FreeBSD advisories/errata and update response times
Post by: weust on January 15, 2016, 04:28:10 pm

Same here. Will play on the console tonight to see how it holds.
Doubt that will give me problems.

OPNsense 15.7.24-amd64
FreeBSD 10.1-RELEASE-p27
LibreSSL 2.2.5

Title: Re: [CALL FOR TESTING] FreeBSD advisories/errata and update response times
Post by: franco on January 15, 2016, 04:58:51 pm

Thanks guys. :)

FWIW, I think this is the most boring CFT yet. Don't get your hopes up, enjoy the weekend instead.

Title: Re: [CALL FOR TESTING] FreeBSD advisories/errata and update response times
Post by: weust on January 15, 2016, 05:40:50 pm

Will do. Gaming going fine so far :-)

Have a good weekend.

Title: Re: [CALL FOR TESTING] FreeBSD advisories/errata and update response times
Post by: interfaSys on January 15, 2016, 10:49:02 pm

All good here as well on 15.7.99

Title: Re: [CALL FOR TESTING] FreeBSD advisories/errata and update response times
Post by: franco on January 18, 2016, 08:00:30 am

Not sure how many upgraded, but the CFT went out to Twitter as well and all looks good. We've done this procedure hundreds of times internally, but it was still a bit exciting to let users try it themselves now. It's definitely a possibility to make this more prominent and this little test has already influenced the way the base/kernel updates are being tagged for 16.1 and up. Thanks everyone!