Like many production quality operating systems, FreeBSD publishes “Security
Advisories”. These advisories are usually mailed to the security lists and noted in
the Errata only after the appropriate releases have been patched. This section will work
to explain what an advisory is, how to understand it, and what measures to take in order
to patch a system.
The FreeBSD security advisories look similar to the one 	below, taken from the freebsd-security-notifications 	mailing list.
=============================================================================
FreeBSD-SA-XX:XX.UTIL                                       Security Advisory
                                                          The FreeBSD Project
Topic:          denial of service due to some problem  Category:       core
Category:       core  Module:         sys
Module:         sys  Announced:      2003-09-23
Announced:      2003-09-23  Credits:        Person
Credits:        Person  Affects:        All releases of FreeBSD
Affects:        All releases of FreeBSD  FreeBSD 4-STABLE prior to the correction date
Corrected:      2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
                2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
                2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
                2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
                2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
                2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
                2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
                2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
                2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)
                FreeBSD 4-STABLE prior to the correction date
Corrected:      2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
                2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
                2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
                2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
                2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
                2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
                2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
                2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
                2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)  CVE Name:       CVE-XXXX-XXXX
CVE Name:       CVE-XXXX-XXXX  For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.FreeBSD.org/security/.
I.   Background
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.FreeBSD.org/security/.
I.   Background  II.  Problem Description
II.  Problem Description  III. Impact
III. Impact  IV.  Workaround
IV.  Workaround  V.   Solution
V.   Solution  VI.  Correction details
VI.  Correction details  VII. References
VII. References  
 
- The Topic field indicates exactly 	 what the problem is.
It is basically an introduction to 	 the current security advisory and notes the
utility with 	 the vulnerability.
 
- The Category refers to the 	 affected part of the system
which may be one of 	 core, contrib, or 	 ports. The core 	 category means that the vulnerability affects a core
	 component of the FreeBSD operating system. The 	 contrib category means that the 	 vulnerability affects software
contributed to the FreeBSD 	 Project, such as sendmail.
	 Finally the ports category indicates 	 that the
vulnerability affects add on software available 	 as part of the Ports
Collection.
 
- The Module field refers to the 	 component location, for
instance sys. 	 In this example, we see that the module,
	 sys, is affected; therefore, this 	 vulnerability
affects a component used within the 	 kernel.
 
- The Announced field reflects the 	 date said security
advisory was published, or announced 	 to the world. This means that the security
team has 	 verified that the problem does exist and that a patch 	 has been
committed to the FreeBSD source code 	 repository.
 
- The Credits field gives credit to 	 the individual or
organization who noticed the 	 vulnerability and reported it.
 
- The Affects field explains which 	 releases of FreeBSD
are affected by this vulnerability. 	 For the kernel, a quick look over the output
from 	 ident on the affected files will help 	 in
determining the revision. For ports, the version 	 number is listed after the port
name in 	 /var/db/pkg. If 	 the system does not sync
with the FreeBSD 	 Subversion repository and rebuilt daily, 	 chances are that it
is affected.
 
- The Corrected field indicates the 	 date, time, time
offset, and release that was 	 corrected.
 
- Reserved for the identification information used to 	 look up vulnerabilities in
the Common Vulnerabilities 	 Database system.
 
- The Background field gives 	 information on exactly what
the affected utility is. 	 Most of the time this is why the utility exists in
FreeBSD, 	 what it is used for, and a bit of information on how the 	 utility
came to be.
 
- The Problem Description field 	 explains the security
hole in depth. This can include 	 information on flawed code, or even how the utility
	 could be maliciously used to open a security 	 hole.
 
- The Impact field describes what 	 type of impact the
problem could have on a system. For 	 example, this could be anything from a denial
of service 	 attack, to extra privileges available to users, or even 	 giving the
attacker superuser access.
 
- The Workaround field offers a 	 feasible workaround to
system administrators who may be 	 incapable of upgrading the system. This may be due
to 	 time constraints, network availability, or a slew of 	 other reasons.
Regardless, security should not be taken 	 lightly, and an affected system should
either be patched 	 or the security hole workaround should be 	 implemented.
 
- The Solution field offers 	 instructions on patching the
affected system. This is a 	 step by step tested and verified method for getting a
	 system patched and working securely.
 
- The Correction Details field 	 displays the Subversion
branch or release 	 name with the periods changed to underscore characters. 	 It
also shows the revision number of the affected files 	 within each branch.
 
- The References field usually 	 offers sources of other
information. This can include 	 web URLs,
books, mailing lists, and 	 newsgroups.