portaudit is being stubborn

Randy Pratt rpratt1950 at earthlink.net
Fri May 20 07:56:44 PDT 2005 

On Fri, 20 May 2005 13:43:29 +0100
Chris <chrcoluk at gmail.com> wrote:

> This annoys me as well, I expect portaudit to alert me when an update
> is available to fix an exploit, but wget has no update so what is the
> point of the warning, there also seems to be no way to shut it up.
> 
> Chris
> 
> On 5/17/05, Tony Shadwick <tshadwick at goinet.com> wrote:
> > This is driving me nuts.  I just downloaded the latest portaudit database
> > and ran it on my system:
> > 
> > mx02# portaudit -ad
> > Database created: Tue May 17 13:40:02 CDT 2005
> > Affected package: wget-1.8.2_7
> > Type of problem: wget -- multiple vulnerabilities.
> > Reference:
> > <http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-a9e7-0001020eed82.html>
> > 
> > 1 problem(s) in your installed packages found.
> > 
> > You are advised to update or deinstall the affected package(s)
> > immediately.
> > 
> > 
> > Okay....so, that vulnerability isn't of much concern to me, but just to be
> > sure I'm current:
> > 
> > mx02# portversion ftp/wget
> > wget                        =
> > 
> > So life is good there, so I got back and add this to my
> > /usr/local/etc/portaudit.conf file:
> > 
> > # Make portaudit ignore wget vulnerability (no shell users here anyway)
> > portaudit_fixed="06f142ff-4df3-11d9-a9e7-0001020eed82"
> > 
> > 
> > I then re-ran portaudit....it gives me the same output. :(  I want to have
> > this cron'ed where I only get ouput when something that actually concerns
> > me comes up.  Is the portaudit_fixed variable no longer supported?
> > 
> > Tony

I think the ftp/wget-devel version has addressed the security
concerns.  I switched to ftp/wget-devel and portaudit doesn't show
any problems.  I've not noticed any differences in using that version.

I had a few other ports which depended on ftp/wget so I used
portupgrade to switch the dependencies to ftp/wget-devl:

	portupgrade -o ftp/wget-devel ftp/wget

According to the portupgrade man page, all the dependencies on the
old package will be succeeded to the new package cleanly without
leaving inconsistencies.

There may be occasions when an update to a port which depended on
the old ftp/wget may cause pkgdb to complain about a stale dependency
on ftp/wget and you will need to repoint the dependency to the
ftp/wget-devel package.

If at some point the ftp/wget gets fixed, then it could be switched
back from ftp/wget-devel with portupgrade.

Randy

--

More information about the freebsd-questions mailing list