FreeBSD update software and apply security patch
Posted by Vivek In Tips, Sys admin, Security, Howto, FreeBSD
Email
Print
del.icio.us
Digg this
Stumble it!
Updating FreeBSD server system is quite easy. You can apply security patch to keep freebsd system up to date.
Required tools aka software
You need to have following tools on system
(a) portmanager - FreeBSD ultimate ports update utility.
(b) portsnap - It is a system for securely distributing the FreeBSD ports tree. Approximately once an hour, a snapshot of the ports tree is generated, repackaged, and cryptographically signed. The resulting files are then distributed via HTTP.
(c) pkg_version - List the installed version of the package is older than the current version.
All of the above utilities work together to keeping FreeBSD up to date 
FreeBSD install portsnap
On FreeBSD 6.0 and more recent versions, Portsnap is contained in the FreeBSD base system. You can install portsanp as follows FreeBSD <= 6.0:
# cd /usr/ports/ports-mgmt/portsnap
# make install clean
FreeBSD install portmanager
Simply type the following command:
# cd /usr/ports/sysutils/portmanager
# make install clean
Upgrade FreeBSD ports collection
Run portsnap as follows:
# portsnap fetch extract
OR
# portsnap fetch
# portsnap extract
Output:
Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found. Fetching public key from portsnap3.FreeBSD.org... done. Fetching snapshot tag from portsnap3.FreeBSD.org... done. Fetching snapshot metadata... done. Fetching snapshot generated at Sun Aug 5 19:38:18 CDT 2007: b73e908500446b6593a4f763b8b2128490e733547cdaa7100% of 49 MB 195 kBps 00m00s Extracting snapshot... done. Verifying snapshot integrity... done. Fetching snapshot tag from portsnap3.FreeBSD.org... done. Fetching snapshot metadata... done. Updating from Sun Aug 5 19:38:18 CDT 2007 to Mon Aug 6 05:58:34 CDT 2007. Fetching 4 metadata patches... done. Applying metadata patches... done. Fetching 0 metadata files... done. Fetching 18 patches.....10.... done. Applying patches... done. Fetching 0 new ports or files... done. .... .. ...
Display outdated ports list
You can list outdated ports list with pkg_version command:
# pkg_version -vIL=
OR
# pkg_version -vIL'<'
Output:
bash-3.1.17 < needs updating (index has 3.2.17_2) gettext-0.14.5_2 < needs updating (index has 0.16.1_3) libtool-1.5.22_2 < needs updating (index has 1.5.22_4) linux_base-fc-4_9 < needs updating (index has 4_10) .... ...... .
Where,
- v : Enable verbose output.
- I : Use only the index file for determining if a package is out of date (faster result)
- L= : Limit the output to those packages whose status flag does not match = (the installed version of the package is current.)
- L’<' : Limit the output to those packages whose status flag does not match < (the installed version of the package is older than the current version.)
Update FreeBSD packages / software
Now run portmanager to upgrade installed ports:
# portmanager -u
It will updates ports in the correct order based on their dependencies. If a port fails to “make” during update it is marked as ignored. Portmanager will continue updating any ports not marked as “ignored” so long as they are not dependent on the ignored port. Also note that it may take some time if you have large number of application installed.
If you need to upgrade all installed ports with logging, enter:
# portmanager -u -l
How do I upgrade a single software only?
portmanager allows you to update a single port and all of its dependencies. For example update port called bash i.e. bash shell (shells/bash), enter:
# portmanager shells/bash -l -u -f
How do I apply update again?
In order to update system again just type the following command:
# portsnap fetch
# portsnap update
# portmanager -u -l
How do I apply binary security updates for FreeBSD?
Latest version includes a tool called freebsd-update (thanks to Bok for pointing out this tool). The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system.
Fetch updates
Use fetch option to get all available binary updates:
# freebsd-update fetch
Output:
Looking up update.FreeBSD.org mirrors... 1 mirrors found. Fetching public key from update1.FreeBSD.org... done. Fetching metadata signature from update1.FreeBSD.org... done. Fetching metadata index... done. Fetching 2 metadata files... done. Inspecting system... done. Preparing to download files... done. Fetching 18 patches.....10.... done. Applying patches... done. The following files will be updated as part of updating to 6.2-RELEASE-p7: /boot/kernel/kernel /etc/rc.d/jail .... ..... /usr/lib/libmagic.so.2 /usr/sbin/dnssec-signzone /usr/sbin/freebsd-update /usr/sbin/lwresd /usr/sbin/named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/tcpdump WARNING: FreeBSD 6.2-RELEASE is approaching its End-of-Life date. It is strongly recommended that you upgrade to a newer release within the next 5 months.
Install updates
Install the most recently fetched updates:
# freebsd-update install
Output:
Installing updates... done.
Rollback updates
Optional: You can uninstall most recently installed updates:
# freebsd-update rollback
Reboot system
You must reboot FreeBSD to take advntage of newly patched kernel:
$ uname -a
Output:
FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
$ sudo reboot
After reboot verify system:
$ uname -a
Output:
FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
Further readings:
- Read pkg_version, portmanager and portsnap man page
- Using Portsnap
Updated for accuracy.
Please subscribe to our free e-mail newsletter or full RSS feed to get all updates. Or just leave a reply/comment ( 6 ).
You may also be interested in (skip to comment)...
- FreeBSD Time/Clock Synchronization with NTP server
- FreeBSD keep ports collection up to date in two easy steps
- Take a FreeBSD Security Survey
- VMWare 5.5 workstation released
- Executing script or command on the last day of a month
6 Responses to “FreeBSD update software and apply security patch”
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Please do not use the comment form to ask for help / question. Ask your question on the excellent Linux tech support forum. Thank you very much for stopping by our site!
« « Linux display the date when a file was accessed with stat command | nixCraft FAQ Roundup ~ Aug, 7, 2007 » »
August 6th, 2007 (4 weeks ago) at 4:43 pm
- portsnap, as you mention, is in the base system. so there is no need to install it from ports too.
- “make;make install;make clean” that is silly. just run ‘make install clean’
- ‘portsnap featch’ typo.
- using an automated tool to update all installed ports is IMO risky and not recommended for production machines.
August 6th, 2007 (4 weeks ago) at 10:36 pm
Don’t forget the “freebsd-update”-command for binary updates of the base system!
http://www.daemonology.net/freebsd-update/
It’s standard in FreeBSD-6.2-RELEASE these days.
August 6th, 2007 (4 weeks ago) at 11:15 pm
George,
Thanks for the heads up.
Bok,
Yup, I forgot about freebsd-update. Thanks for sharing the same with us.
August 6th, 2007 (4 weeks ago) at 11:27 pm
George Donnelly Says:using an automated tool to update all installed ports is IMO risky and not recommended for production machines.
So what command do you recommend to upgrade Apache port?
August 6th, 2007 (4 weeks ago) at 11:30 pm
@raj,
portmanager www/apache22 -l -u -f
August 9th, 2007 (3 weeks ago) at 1:19 pm
Yep, portsnap though howsoever smart it may be or may it be in the base system, is useless for all though people who have some custom ports in their /usr/ports tree. So, … You need to use csup or cvsup instead
You have not mentioned the lovely ‘portaudit’, we need not update and, or upgrade every application and, or package on live servers; The portaudit can advise you on security alerts and, or any vulnerabilities found in your installed packages/ports
Take care,