portaudit question.....

Alex Zbyslaw xfb52 at dial.pipex.com
Thu Sep 29 02:55:45 PDT 2005


Wright Jim Contractor 14MDSS/SGSI wrote:

>I guess my question is this.
>
>How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest
>version??
>
>Or am I missing the concept altogether ?
>
>( I understand the process of downloading this latest version and installing
>it manually. Just trying to understand and use the FreeBSD tools )
>
>  
>
IMHO, the messages from portaudit are misleadingly worded.  Portaudit is 
correct that some of the software you installed has *some kind* of 
security vulnerability.  But everything else it says is potentially 
misleading.

1) There may be no upgrade available yet.  For there to be an upgrade 
the original code has to be fixed; in your example by the Mozilla team.  
Then, whoever is maintaining the port has to go through the work of 
fixing the new code to work on FreeBSD.  For a few simple bug fixes, 
that may not be too hard, but it still has to be done. How long all this 
takes will vary from port to port.  Mozilla is generally quite quick, 
from my experience, but xloadimage hung around for ages, not long ago.

2) The advice that you should either upgrade or de-install in 
unnecessarily authoritarian and frightening.  De-installing may not be 
an option, and the actual bug may have zero affect on your environment.  
And the presence of a bug does not indicate the presence of an exploit.  
If you are worried about a particular package then follow up the links 
portaudit provides and make up your mind what to do.


However, that fact that you have so many packages reporting problems 
says that either you are doing something wrong or not checking often enough.

1) cvsup your ports tree
2) either make fetchindex in /usr/ports and run portsdb -u, or run 
portsdb -Uu (slower but more accurate)
3) run pkg_version -L= to see what needs upgrading
4) use portupgrade to upgrade on a schedule that suits.  That might be 
daily or monthly depending on you environment.  Remember to read 
/usr/port/UPDATING *before* doing any upgrades.


All of that except the upgrading can be automated safely to run at 3am, 
or any other quiet time you might have.
--Alex



More information about the freebsd-questions mailing list