Security Patches for Port Applications in Releases

Oliver Fromme olli at lurza.secnetix.de
Wed Jan 17 08:08:11 UTC 2007


Stevan Tiefert wrote:
 > I installed the new release 6.2 on my workstation. I installed also portaudit 
 > and run it immediatly afterwards. What have I to see? 5 vulnerable packages 
 > in my release.

What was your installation source?  I noticed that there
are a lot of stale packages on ftp.de.freebsd.org (which
is probably used as mirroring source for some of the other
ftp*.de servers).  I assume the maintainer of that mirror
forgot to re-sync after a few packages have been updated
in the past months.

For FTP-based installations within .de I recommend to use
ftp7.de.freebsd.org which re-syncs regularly directly from
the European master server.  It is up to date and does not
have those stale packages.

Of course, there might be other reasons why your particular
packagess are reported as vulnerable (last but not least,
limited man-power of the ports team; after all there are
more than 16000 ports to maintain).

The advantage of the release ports is the fact that they
have been tested and scrutinized for a long time, and it
is assumed that they work in a stable manner, especially
the more important and complex ones, such as the office
suites and the popular graphical desktop systems.  It is
clear, however, that it means that you will not always
find the latest versions in the release ports.

Of course, you can always choose to update your ports to
the most up-to-date version (called "current" or "HEAD").
The ports time usually tries to make sure that they still
work on the latest FreeBSD release.  Just use the cvsup
file /usr/share/examples/cvsup/ports-supfile, insert a
cvsup server (e.g. cvsup.de.freebsd.org) and run cvsup.

If you prefer to install pre-compiled packages, you can
look at an FTP server (mirror) in the appropriate stable
directory (/pub/FreeBSD/ports/i386/packages-6-stable) to
get newer packages.  They should run fine under the latest
release.  (Of course, you can chose to update your base
system to 6-stable, too, if you like.)

I hope that answers some of your questions.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"I learned Java 3 years before Python.  It was my language of
choice.  It took me two weekends with Python before I was more
productive with it than with Java." -- Anthony Roberts


More information about the freebsd-chat mailing list