From 7f25c8447d99d0ea9a88f822089300d06a500edb Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Fri, 14 May 2021 22:44:01 +0800 Subject: [PATCH 1/6] glibc: remove libc_cv_rtlddir override for now Back to use the sed. Need to investigate later. --- chapter05/glibc.xml | 3 +-- chapter08/glibc.xml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/chapter05/glibc.xml b/chapter05/glibc.xml index e3d77b8bf..79c65913a 100644 --- a/chapter05/glibc.xml +++ b/chapter05/glibc.xml @@ -80,8 +80,7 @@ cd build --build=$(../scripts/config.guess) \ --enable-kernel=&min-kernel; \ --with-headers=$LFS/usr/include \ - libc_cv_slibdir=/usr/lib \ - libc_cv_rtlddir=/usr/lib + libc_cv_slibdir=/usr/lib The meaning of the configure options: diff --git a/chapter08/glibc.xml b/chapter08/glibc.xml index 2b4c064e5..9aefe30d2 100644 --- a/chapter08/glibc.xml +++ b/chapter08/glibc.xml @@ -72,8 +72,7 @@ cd build --enable-kernel=&min-kernel; \ --enable-stack-protector=strong \ --with-headers=/usr/include \ - libc_cv_slibdir=/usr/lib \ - libc_cv_rtlddir=/usr/lib + libc_cv_slibdir=/usr/lib The meaning of the configure options: From 7a8a136dffb723dac58d1161cfee173ac369be38 Mon Sep 17 00:00:00 2001 From: Bruce Dubbs Date: Fri, 14 May 2021 10:17:51 -0500 Subject: [PATCH 2/6] Tweak mail address for missing patches --- stylesheets/patcheslist.xsl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stylesheets/patcheslist.xsl b/stylesheets/patcheslist.xsl index d562ee2d7..d86d1814d 100644 --- a/stylesheets/patcheslist.xsl +++ b/stylesheets/patcheslist.xsl @@ -38,7 +38,7 @@ umask 002 chgrp lfswww *.patch && if [ `wc -l copyerrs | sed 's/ *//' | cut -f1 -d' '` -gt 0 ]; then - mail -s "Missing LFS patches" lfs-book@linuxfromscratch.org < copyerrs + mail -s "Missing LFS patches" lfs-book@lists.linuxfromscratch.org < copyerrs fi exit From 6df63e484f39596859dd7712adbfd4989a87e4db Mon Sep 17 00:00:00 2001 From: Ken Moffat Date: Fri, 14 May 2021 16:41:52 +0100 Subject: [PATCH 3/6] OpenSSL: add a note about upgrading. --- chapter01/changelog.xml | 8 ++++++++ chapter08/openssl.xml | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/chapter01/changelog.xml b/chapter01/changelog.xml index 4cf1252c9..614731b11 100644 --- a/chapter01/changelog.xml +++ b/chapter01/changelog.xml @@ -42,6 +42,14 @@ or as appropriate for the entry or if needed the entire day's listitem. --> + + 2021-05-14 + + + [ken] - Add a Note about upgrading in OpenSSL. + + + 2021-05-12 diff --git a/chapter08/openssl.xml b/chapter08/openssl.xml index 934d5bd83..b96c355f7 100644 --- a/chapter08/openssl.xml +++ b/chapter08/openssl.xml @@ -77,6 +77,34 @@ make MANSUFFIX=ssl install cp -vfr doc/* /usr/share/doc/openssl-&openssl-version; + + + You should update OpenSSL when a new version which fixes vulnerabilities + is announced. The releases run in series, with a letter for each release + after the initial release (e.g. 1.1.1, 1.1.1a, 1.1.1b, etc). Because LFS + installs only the shared libraries, there is no need to recompile packages + which link to libcrypto.so or + libssl.so + when upgrading in the same series. + + + + However, any running programs linked to those libraries need to be stopped + and restarted. The following command, run as + root after udating, will list what is + using the old versions of those libraries: + + +grep -l -e 'libssl.*deleted' -e 'libcrypto.*deleted' /proc/*/maps | + tr -cd 0-9\\n | xargs -r ps u + + + If you used OpenSSH to login to the system, you + need to logout, login again, and rerun that command to confirm nothing is + still using the deleted libraries. + + + From 80838616e5a049e80efda352f5cf91a2fd22ea66 Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Sun, 16 May 2021 02:28:22 +0800 Subject: [PATCH 4/6] glibc: remove description of libc_cv_rtlddir for now --- chapter05/glibc.xml | 8 -------- chapter08/glibc.xml | 8 -------- 2 files changed, 16 deletions(-) diff --git a/chapter05/glibc.xml b/chapter05/glibc.xml index 79c65913a..02ff025e2 100644 --- a/chapter05/glibc.xml +++ b/chapter05/glibc.xml @@ -121,14 +121,6 @@ cd build - - libc_cv_rtlddir=/usr/lib - - Fix hardcoded path to the executable loader in the - ldd script. - - - diff --git a/chapter08/glibc.xml b/chapter08/glibc.xml index 9aefe30d2..8efd2ca90 100644 --- a/chapter08/glibc.xml +++ b/chapter08/glibc.xml @@ -120,14 +120,6 @@ cd build - - libc_cv_rtlddir=/usr/lib - - Fix hardcoded path to the executable loader in the - ldd script. - - - From 59fef4c47ec96d7c10db3b8c24790142018f131c Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Sun, 16 May 2021 02:52:59 +0800 Subject: [PATCH 5/6] generalize ken's note for shared library update, ... and move it into package management section --- chapter08/openssl.xml | 13 ++----------- chapter08/pkgmgt.xml | 21 ++++++++++++++++++++- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/chapter08/openssl.xml b/chapter08/openssl.xml index b96c355f7..d1690efc6 100644 --- a/chapter08/openssl.xml +++ b/chapter08/openssl.xml @@ -90,19 +90,10 @@ make MANSUFFIX=ssl install However, any running programs linked to those libraries need to be stopped - and restarted. The following command, run as - root after udating, will list what is - using the old versions of those libraries: + and restarted. Read the related entries in + for details. -grep -l -e 'libssl.*deleted' -e 'libcrypto.*deleted' /proc/*/maps | - tr -cd 0-9\\n | xargs -r ps u - - - If you used OpenSSH to login to the system, you - need to logout, login again, and rerun that command to confirm nothing is - still using the deleted libraries. - diff --git a/chapter08/pkgmgt.xml b/chapter08/pkgmgt.xml index 6c628c3d6..809421c3f 100644 --- a/chapter08/pkgmgt.xml +++ b/chapter08/pkgmgt.xml @@ -41,7 +41,7 @@ the Hints Project and see if one of them fits your need. - + Upgrade Issues A Package Manager makes it easy to upgrade to newer versions when they @@ -91,6 +91,25 @@ you have to downgrade a package, or the package changes the versioning scheme of library files suddenly. + If a package containing a shared library is updated, + and the name of library doesn't change, but a severe issue + (especially, a security vulnerability) is fixed, all running programs + linked to the shared library should be restarted. The following + command, run as root after + updating, will list what is using the old versions of those libraries + (replace libfoo with the name of the + library): + +grep -l -e 'libfoo.*deleted' /proc/*/maps | + tr -cd 0-9\\n | xargs -r ps u + + + If OpenSSH is being used for accessing + the system and it is linked to the updated library, you need to + restart sshd service, then logout, login again, + and rerun that command to confirm nothing is still using the + deleted libraries. + From 7fbfed56688ea26852ae1562619b08612cc1ca21 Mon Sep 17 00:00:00 2001 From: Ken Moffat Date: Sun, 16 May 2021 03:06:47 +0100 Subject: [PATCH 6/6] For consistency, do not use /bin in bzip2 and inetutils. --- chapter08/bzip2.xml | 4 ++-- chapter08/inetutils.xml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/chapter08/bzip2.xml b/chapter08/bzip2.xml index d3b7d42c4..5d1e53469 100644 --- a/chapter08/bzip2.xml +++ b/chapter08/bzip2.xml @@ -89,9 +89,9 @@ make clean ln -sv libbz2.so.&bzip2-version; /usr/lib/libbz2.so Install the shared bzip2 binary into the - /bin directory: + /usr/bin directory: -cp -v bzip2-shared /bin/bzip2 +cp -v bzip2-shared /usr/bin/bzip2 Remove an useless static library: diff --git a/chapter08/inetutils.xml b/chapter08/inetutils.xml index b79a0b782..b80db6f1d 100644 --- a/chapter08/inetutils.xml +++ b/chapter08/inetutils.xml @@ -43,6 +43,7 @@ Prepare Inetutils for compilation: ./configure --prefix=/usr \ + --bindir=/usr/bin \ --localstatedir=/var \ --disable-logger \ --disable-whois \ @@ -116,7 +117,7 @@ Move a program to the proper location: -mv -v /{,s}bin/ifconfig +mv -v /usr/{,s}bin/ifconfig