In very short order, an exploit for OpenSSH was reported, followed a day later by a new security problem with Sendmail. It crossed my mind, once again, to try an alternative to Sendmail, but the thought didn't last long.
It had been so long since I'd updated the ports that even with the benefit of re-reading my own Technical Journal entry, I had difficulty in remembering what to do. So this note is to remind me how to do it.
I'd chosen to use the cvsup method of keeping the ports tree updated. Cvsup will ensure that your ports tree is up-to-date, downloading new versions of the ports files as required. In order to use cvsup, /usr/ports/net/cvsup must be installed, and the easiest way is to use /stand/sysinstall, or pkg_add, to install the package. This is because compiling from the ports collection will take some time due to cvsup's dependency on Modula-3 system. To fetch and install the package via pkg_add, issue the following command as root:
pkg_add -r cvsup
It's then best to create a directory for all cvsup related files. The recommended place is /usr/local/etc/cvsup. As root, copy /usr/share/examples/cvsup/ports-supfile to the new location, such as /usr/local/etc/cvsup/ports-supfile. You must then edit your local ports-supfile. Change CHANGE_THIS.FreeBSD.org to a CVSup server near you. For me, this was cvsup2.uk.freebsd.org. Also change default base to /usr/local/etc/cvsup by setting the *default base value. These two changed lines will then look like:
*default host=cvsup2.uk.freebsd.org *default base=/usr/local/etc/cvsup
Then run cvsup:
cvsup -g -L 2 /usr/local/etc/cvsup/ports-supfile
The -g argument tells cvsup not to use a gui. The -L 2 argument sets the level of verboseness. You must be connected to the Internet for this to work. A couple of hours later (depending on your line speed and how up-to-date your system is, the cvsup process will be finished.
The next step is to re-install the ports that have been updated. I only cared about the Internet accessible applications, i.e. sendmail, OpenSSH and apache.
I started with OpenSSH, cd'd to the /usr/ports/security/openssh-portable directory and issued the following command:
make -DOPENSSH_OVERWRITE_BASE install
The new version built fine, but on the install it complained that a version was already installed. It advised me to "make deinstall" and then "make reinstall". I'd never seen this message before, but maybe it explained why I had two versions of openssh-portable and two versions of sendmail in the listing from pkg_info. I followed the advice:
make -DOPENSSH_OVERWRITE_BASE deinstall make -DOPENSSH_OVERWRITE_BASE reinstall
The "make deinstall" complained about missing files, but I suspect that was due to the fact it was trying to deinstall a version that was really not there.
I followed the same process for sendmail and apache:
cd /usr/ports/mail/sendmail make DESTDIR="" PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/mail \ DESTEXEC=/usr/libexec DESTRUN=/var/run DESTBIN=/usr/sbin \ deinstall make DESTDIR="" PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/mail \ DESTEXEC=/usr/libexec DESTRUN=/var/run DESTBIN=/usr/sbin \ reinstall cd /usr/ports/www/apache13 make deinstall make reinstall
Both of these ports installed with no problems. Now I was back up to date.