Missing binary package security updates?
Janne Snabb
snabb at epipe.com
Thu Apr 10 18:35:52 UTC 2014
Hi,
I recently started using the new fancy pkgng binary packages on some
machines that I maintain. I thought I could save a lot of time as I
would not need to keep compiling ports manually any more.
Unfortunately it seems that it was not such a good idea:
# date
Thu Apr 10 21:27:22 EEST 2014
# pkg audit
openssl-1.0.1_9 is vulnerable:
OpenSSL -- Multiple vulnerabilities - private data exposure
CVE: CVE-2014-0076
CVE: CVE-2014-0160
WWW: http://portaudit.FreeBSD.org/5631ae98-be9e-11e3-b5e3-c80aa9043978.html
1 problem(s) in the installed packages found.
# pkg upgrade
Updating repository catalogue
Nothing to do
#
This is on FreeBSD 8/i386.
I think I have noticed binary package updates only about once a week. Is
my observation correct? Why such an infrequent update cycle? If there is
some real reason to build package updates so rarely, would it be
possible to hasten the cycle whenever serious issues like CVE-2014-0160
are found?
Right now pkgng binary packages are not really suitable for production
use because of lacking essential security updates. (There should be a
loud and clear warning about this in the Handbook if it stays this way?)
Best Regards,
--
Janne Snabb
snabb at epipe.com
More information about the freebsd-ports
mailing list