Like many production quality operating systems, FreeBSD
publishes “Security Advisories”. These
advisories are usually mailed to the security lists and noted
in the Errata only after the appropriate releases have been
patched. This section will work to explain what an advisory
is, how to understand it, and what measures to take in order
to patch a system.
The FreeBSD security advisories look similar to the one
below, taken from the freebsd-security-notifications
mailing list.
=============================================================================
FreeBSD-SA-XX:XX.UTIL Security Advisory
The FreeBSD Project
Topic: denial of service due to some problem
Category: core
Module: sys
Announced: 2003-09-23
Credits: Person
Affects: All releases of FreeBSD
FreeBSD 4-STABLE prior to the correction date
Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE)
2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6)
2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15)
2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8)
2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18)
2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21)
2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33)
2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43)
2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39)
CVE Name: CVE-XXXX-XXXX
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.FreeBSD.org/security/.
I. Background
II. Problem Description
III. Impact
IV. Workaround
V. Solution
VI. Correction details
VII. References 

- The Topic field indicates exactly
what the problem is. It is basically an introduction to
the current security advisory and notes the utility with
the vulnerability.

- The Category refers to the
affected part of the system which may be one of
core, contrib, or
ports. The core
category means that the vulnerability affects a core
component of the FreeBSD operating system. The
contrib category means that the
vulnerability affects software contributed to the FreeBSD
Project, such as sendmail.
Finally the ports category indicates
that the vulnerability affects add on software available
as part of the Ports Collection.

- The Module field refers to the
component location, for instance sys.
In this example, we see that the module,
sys, is affected; therefore, this
vulnerability affects a component used within the
kernel.

- The Announced field reflects the
date said security advisory was published, or announced
to the world. This means that the security team has
verified that the problem does exist and that a patch
has been committed to the FreeBSD source code
repository.

- The Credits field gives credit to
the individual or organization who noticed the
vulnerability and reported it.

- The Affects field explains which
releases of FreeBSD are affected by this vulnerability.
For the kernel, a quick look over the output from
ident on the affected files will help
in determining the revision. For ports, the version
number is listed after the port name in
/var/db/pkg. If
the system does not sync with the FreeBSD
Subversion repository and rebuilt daily,
chances are that it is affected.

- The Corrected field indicates the
date, time, time offset, and release that was
corrected.

- Reserved for the identification information used to
look up vulnerabilities in the Common Vulnerabilities
Database system.

- The Background field gives
information on exactly what the affected utility is.
Most of the time this is why the utility exists in FreeBSD,
what it is used for, and a bit of information on how the
utility came to be.

- The Problem Description field
explains the security hole in depth. This can include
information on flawed code, or even how the utility
could be maliciously used to open a security
hole.

- The Impact field describes what
type of impact the problem could have on a system. For
example, this could be anything from a denial of service
attack, to extra privileges available to users, or even
giving the attacker superuser access.

- The Workaround field offers a
feasible workaround to system administrators who may be
incapable of upgrading the system. This may be due to
time constraints, network availability, or a slew of
other reasons. Regardless, security should not be taken
lightly, and an affected system should either be patched
or the security hole workaround should be
implemented.

- The Solution field offers
instructions on patching the affected system. This is a
step by step tested and verified method for getting a
system patched and working securely.

- The Correction Details field
displays the Subversion branch or release
name with the periods changed to underscore characters.
It also shows the revision number of the affected files
within each branch.

- The References field usually
offers sources of other information. This can include
web URLs, books, mailing lists, and
newsgroups.