John Hall wrote:
I don't think it's possible to update to 5.4-RELEASE, as it
doesn't exist yet AFAICT from the web site. I've not checked
the CVS repo or mirrors, so I guess it's possible that it has
been tagged in the last couple of days, though.
Updating to any codebase from today or following the
patch method outlined in the announcement should
make you safe from this vulnerability.
See the Handbook chapter on "the Cutting Edge".
The RELEASE tag you'd want would be "RELENG_5",
Whoops, OK: now I see that apparently 5.4 has
been tagged. As mentioned in the advisory, you
can either patch your system and recompile the
kernel or update to one of seven different code
paths to get the new code. If you server was built
just a week ago, then 5.4-RELEASE sounds great
for this purpose, and the only viable choices for you
are RELENG_5, RELENG_5_4, or RELENG_5_3.
However, the recommended procedure for the
entire world reinstall includes some time (not
much, probably) spent in single-user mode, so if this
is a busy box that needs 99.99 percent uptime, maybe
the kernel rebuild would be better, as a simple reboot
on the new kernel would be the only thing required....
I'm sure that this statement might be open to debate....