ports freeze and portaudit alerts

Jon Noack noackjr at alumni.rice.edu
Sun Oct 10 14:20:31 PDT 2004

On 10/10/04 15:43, Dick Davies wrote:
> I've recently returned to FreeBSD from a tour around various other free
> OSes - last time I used it seriously was around 4.7, I think, and 5.3 seems
> to be light years ahead functionality wise. So first off, congratulations.

Glad to have you back ;-).

> But I'm a little alarmed by the pre 5.3 release ports freeze - portaudit has
> flagged an awful lot of packages as having holes and refused to install them.
> Off the top of my head : mozilla, cups (and therefore most of kde) and
> firefox/bird.  Shouldn't serious bugs (like the JPEG vuln
> in firefox for example) to override the freeze?

The Mozilla/Firefox ports have been updated with patches to resolve the 
security issues.  See the latest commits for more info:

It seems the real issue for Mozilla/Firefox is that the VuXML document 
was not updated to reflect the patches being applied to the older 
versions (see http://www.vuxml.org/freebsd/index.html).  Usually the 
versioning for the VuXML document is done with the assumption that 
issues will be resolved by updating to the latest version available from 
the vendor.  Under a ports freeze this assumption is not correct.  I've 
CC'ed nectar@ for this reason.  Once this document is updated then 
portaudit will no longer flag them.

The CUPS port still has not been updated to resolve its "print queue 
browser denial-of-service" issue.  However, there is a PR from the 
maintainer to update to the latest, "safe" version:

> I just wondered if there is a policy to not upgrade ports under any
> circumstances, or if this is just an oversight? I can imagine this would make
> me very twitchy if I was running production boxes during a freeze....
> or have I missed something, and this doesn't affect 4.* users?

Updates for security issues generally happen very promptly during ports 
freezes.  I think these cases are just oversight, either in the 
reporting of updates (Mozilla/Firefox) or the actual updating itself (CUPS).


More information about the freebsd-current mailing list