pdflib for php
Chris Hodgins
chodgins at cis.strath.ac.uk
Thu Jan 20 06:18:19 PST 2005
Matthew Seaman wrote:
> On Thu, Jan 20, 2005 at 12:38:01PM +0000, Chris Hodgins wrote:
>
>>Thanos Tsouanas wrote:
>>
>>>On Thu, Jan 20, 2005 at 12:11:04PM +0200, Cristi Tauber wrote:
>>>
>>>
>>>>===> pdflib-6.0.1 is forbidden:
>>>>http://vuxml.freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html.
>>>>
>>>> Forbidden ? Why ? anyone ...
>>>
>>>
>>>Yes this one: just follow the link. (pretty obvious ;))
>>>
>>>If you insist in installing the port, 'un' break it manually.
>>>
>>>HTH
>>>
>>
>>Purely out of curiosity.. when a possible exploit such as this is
>>discovered in a port and a patch is provided, why is it not patched
>>immediately? I understand that when a vulnerability is discovered it is
>>important to look for similar bugs in the file and also the entire port.
>> Is this what takes the time or is it purely a maintainer finding the
>>time to update it?
>>
>>Again this is just out of curiosity and not related to this port in
>>particular.
>
>
> Yes -- it's just waiting for the maintainer to provide an update.
> Most maintainers in this situation will send-pr(1) a fix within a day
> or so. The security team will generally prod (via e-mail) any port
> maintainer when they add a VuXML entry concerning their port -- unless
> it was the port maintainer that told them about the problem in the
> first place, which does happen occasionally.
>
> PRs applying updates to ports and marked 'Security' and/or CC'd to the
> security team tend to get committed PDQ, even during the middle of a
> ports freeze.
>
> Depending on the responsiveness of the maintainer and/or the severity
> of the vulnerability and/or availability of patches a port may either
> be marked 'FORBIDDEN' or pre-emptively patched without the
> maintainer's involvement, but those are both quite rare events.
>
> You can always override the vulnerability checking by setting
> 'DISABLE_VULNERABILITIES=yes' in the environment. Often this makes
> sense to do, but only once you've read through the background material
> from the VuXML document -- eg. the vulnerability may permit privilege
> escalation for local users, which would be bad ju-ju if you were
> running a public access shell server, but no biggie if it was on your
> personal desktop box that only you would ever use.
>
> Cheers,
>
> Matthew
>
Thanks. That was very informative. :)
Chris
More information about the freebsd-questions
mailing list