FreeBSD Update Software and Apply Security Patches

Author: Vivek Gite Last updated: August 6, 2007 15 comments

Updating FreeBSD server system is quite easy. You can apply security patch to keep freebsd system up to date.

Required tools aka software

You need to have following tools on system
(a) portmanager – FreeBSD ultimate ports update utility.

(b) portsnap – It is a system for securely distributing the FreeBSD ports tree. Approximately once an hour, a snapshot of the ports tree is generated, repackaged, and cryptographically signed. The resulting files are then distributed via HTTP.

All of the above utilities work together to keeping FreeBSD up to date 🙂

FreeBSD install portsnap (for older system version

On FreeBSD 6.0+, portsnap is contained in the FreeBSD base (core) system. You only need to to install portsanp as follows for older FreeBSD system:
# cd /usr/ports/ports-mgmt/portsnap # make install clean

FreeBSD install portmanager

Simply type the following command:
# cd /usr/ports/ports-mgmt/portmanager # make install clean

Upgrade FreeBSD ports collection

Run portsnap as follows:
# portsnap fetch extract
OR
# portsnap fetch # portsnap extract
Output:

Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found.
Fetching public key from portsnap3.FreeBSD.org... done.
Fetching snapshot tag from portsnap3.FreeBSD.org... done.
Fetching snapshot metadata... done.
Fetching snapshot generated at Sun Aug  5 19:38:18 CDT 2007:
b73e908500446b6593a4f763b8b2128490e733547cdaa7100% of   49 MB  195 kBps 00m00s
Extracting snapshot... done.
Verifying snapshot integrity... done.
Fetching snapshot tag from portsnap3.FreeBSD.org... done.
Fetching snapshot metadata... done.
Updating from Sun Aug  5 19:38:18 CDT 2007 to Mon Aug  6 05:58:34 CDT 2007.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 18 patches.....10.... done.
Applying patches... done.
Fetching 0 new ports or files... done.
....
..
...

Display outdated ports list

You can list outdated ports list with pkg_version command:
# pkg_version -vIL=
OR
# pkg_version -vIL' Output:

bash-3.1.17

Where,

v : Enable verbose output.
I : Use only the index file for determining if a package is out of date (faster result)
L= : Limit the output to those packages whose status flag does not match = (the installed version of the package is current.)
L' : Limit the output to those packages whose status flag does not match

Update FreeBSD packages / software

Now run portmanager to upgrade installed ports:
# portmanager -u

It will updates ports in the correct order based on their dependencies. If a port fails to "make" during update it is marked as ignored. Portmanager will continue updating any ports not marked as "ignored" so long as they are not dependent on the ignored port. Also note that it may take some time if you have large number of application installed.

If you need to upgrade all installed ports with logging, enter:
# portmanager -u -l

How do I upgrade a single software only?

portmanager allows you to update a single port and all of its dependencies. For example update port called bash i.e. bash shell (shells/bash), enter:
# portmanager shells/bash -l -u -f

How do I apply update again?

In order to update system again just type the following command:
# portsnap fetch # portsnap update # portmanager -u -l

How do I apply binary security updates for FreeBSD?

Latest version includes a tool called freebsd-update (thanks to Bok for pointing out this tool). The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system.

Fetch updates

Use fetch option to get all available binary updates:
# freebsd-update fetch
Output:

Looking up update.FreeBSD.org mirrors... 1 mirrors found.
Fetching public key from update1.FreeBSD.org... done.
Fetching metadata signature from update1.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 18 patches.....10.... done.
Applying patches... done.

The following files will be updated as part of updating to 6.2-RELEASE-p7:
/boot/kernel/kernel
/etc/rc.d/jail
....
.....
/usr/lib/libmagic.so.2
/usr/sbin/dnssec-signzone
/usr/sbin/freebsd-update
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/tcpdump

WARNING: FreeBSD 6.2-RELEASE is approaching its End-of-Life date.
It is strongly recommended that you upgrade to a newer
release within the next 5 months.

Install updates

Install the most recently fetched updates:
# freebsd-update install
Output:

Installing updates... done.

Rollback updates

Optional: You can uninstall most recently installed updates:

# freebsd-update  rollback

Reboot system

You must reboot FreeBSD to take advntage of newly patched kernel:
$ uname -a
Output:

FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007
root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

$ sudo reboot
After reboot verify system:
$ uname -a
Output:

FreeBSD vip-1.freebsd.nixcraft.com 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #0: Thu Apr 26 17:40:53 UTC 2007     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

Further readings:

Read pkg_version, portmanager and portsnap man page
Using Portsnap

Updated for accuracy.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 15 comments so far... add one ↓

Category	List of Unix and Linux commands
File Management	cat
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04

15 comments… add one

dek Jul 2, 2012 @ 15:59

freebsd-update: command not found
uh oh

Reply Link
Mike Jun 9, 2011 @ 9:40

nice concise info, thanks

Reply Link
Mark Hentov Oct 8, 2010 @ 0:53

Why does freebsd-update fail so utterly? Yes, my machine is online. I can ping the entire Interwub. Yes, my firewall is off.

root@mentos# freebsd-update fetch
Looking up update.FreeBSD.org mirrors… 4 mirrors found.
Fetching public key from update2.FreeBSD.org… failed.
Fetching public key from update5.FreeBSD.org…
failed.
Fetching public key from update4.FreeBSD.org… failed.
Fetching public key from update3.FreeBSD.org… failed.
No mirrors remaining, giving up.

root@mentos# ping hhh.com
PING hhh.com (208.73.210.48): 56 data bytes
64 bytes from 208.73.210.48: icmp_seq=0 ttl=244 time=93.654 ms
64 bytes from 208.73.210.48: icmp_seq=1 ttl=244 time=97.775 ms

Reply Link
Biwebco.com Feb 25, 2010 @ 19:45

thx!

Reply Link
NNT Feb 25, 2010 @ 17:28

Biwebco.com >

do a binary rehash
# rehash

Reply Link
Biwebco.com Jan 20, 2010 @ 20:22

nice time,
I’m trying FreeBSD and can’t get portmanager to run.

#make install clean
……
* see man portmanager(1) or http://portmanager.sunsite.dk
*
===> Compressing manual pages for portmanager-0.4.1_9
===> Running ldconfig
/sbin/ldconfig -m /usr/local/lib
===> Registering installation for portmanager-0.4.1_9
===> Cleaning for portmanager-0.4.1_9

# portmanager -u
portmanager: Command not found.

What’s wrong? THX

Reply Link
Roy Apr 16, 2009 @ 14:56

I tried to upgrade install softwares on my system like this and it messed up my system. I backed up all the configuration file. But so many libraries are missing. So many programs broken. I would recommend upgrading installed ports using automated tools like this. I have tried portupgrade and it wasnt very good. But it didnt damage my system like this. lol

Reply Link
David Radovanovic Oct 22, 2008 @ 17:37

Thanks a bunch for the easy to read and comprehend instructions. They have saved me a lot of wasted time. Thanks again!

Reply Link
Keijo Salakari Jan 4, 2008 @ 22:31

Portmanager have moved to /usr/ports/ports-mgmt/portmanager folder.

What about portupgrade?

Is it okay?

Reply Link
Balwinder S Dheeman Aug 9, 2007 @ 13:19

Yep, portsnap though howsoever smart it may be or may it be in the base system, is useless for all though people who have some custom ports in their /usr/ports tree. So, … You need to use csup or cvsup instead 😉

You have not mentioned the lovely ‘portaudit’, we need not update and, or upgrade every application and, or package on live servers; The portaudit can advise you on security alerts and, or any vulnerabilities found in your installed packages/ports

Take care,

Reply Link
🐧 nixCraft Aug 6, 2007 @ 23:30

@raj,

portmanager www/apache22 -l -u -f

Reply Link
raj Aug 6, 2007 @ 23:27

George Donnelly Says:using an automated tool to update all installed ports is IMO risky and not recommended for production machines.

So what command do you recommend to upgrade Apache port?

Reply Link
🐧 nixCraft Aug 6, 2007 @ 23:15

George,

Thanks for the heads up.

Bok,

Yup, I forgot about freebsd-update. Thanks for sharing the same with us.

Reply Link
BOK Aug 6, 2007 @ 22:36

Don’t forget the “freebsd-update”-command for binary updates of the base system!
http://www.daemonology.net/freebsd-update/
It’s standard in FreeBSD-6.2-RELEASE these days.

Reply Link
George Donnelly Aug 6, 2007 @ 16:43

– portsnap, as you mention, is in the base system. so there is no need to install it from ports too.

– “make;make install;make clean” that is silly. just run ‘make install clean’

– ‘portsnap featch’ typo.

– using an automated tool to update all installed ports is IMO risky and not recommended for production machines.

Reply Link