Security updates for packages?
Warren Block
wblock at wonkity.com
Sat Jan 1 16:46:21 UTC 2011
On Sun, 12 Dec 2010, Kevin Kreamer wrote:
> Having not used FreeBSD for several years, I did a fresh install yesterday
> of 8.1-RELEASE, and then used pkg_add -r to install several packages. I
> then came across portaudit, ran it, and it indicated that I had three
> vulnerable packages (git, ruby, and sudo). Looking at
> http://www.vuxml.org/freebsd/, it appears that these were reported in July,
> August, and September respectively.
You got the packages as they were at the release of 8.1 (July 23, 2010).
> Basically, I would think a freshly installed system would not have security
> vulnerabilities from months prior. Is that an erroneous assumption on my
> part, am I just misunderstanding something, or do I have something
> misconfigured?
It's done (I think) to provide a known-working set of packages. The
same effect is seen when things are installed from ports without
updating the ports tree first; it's a snapshot at that time.
You can adjust the PACKAGEROOT or PACKAGESITE variables. See
pkg_add(1). Or switch to using ports, updating the ports tree before
installing or updating applications.
More information about the freebsd-ports
mailing list