ports freeze and portaudit alerts
Jon Noack
noackjr at alumni.rice.edu
Sun Oct 10 14:20:31 PDT 2004
On 10/10/04 15:43, Dick Davies wrote:
> I've recently returned to FreeBSD from a tour around various other free
> OSes - last time I used it seriously was around 4.7, I think, and 5.3 seems
> to be light years ahead functionality wise. So first off, congratulations.
Glad to have you back ;-).
> But I'm a little alarmed by the pre 5.3 release ports freeze - portaudit has
> flagged an awful lot of packages as having holes and refused to install them.
>
> Off the top of my head : mozilla, cups (and therefore most of kde) and
> firefox/bird. Shouldn't serious bugs (like the JPEG vuln
> in firefox for example) to override the freeze?
The Mozilla/Firefox ports have been updated with patches to resolve the
security issues. See the latest commits for more info:
http://www.freshports.org/www/mozilla
http://www.freshports.org/www/firefox
It seems the real issue for Mozilla/Firefox is that the VuXML document
was not updated to reflect the patches being applied to the older
versions (see http://www.vuxml.org/freebsd/index.html). Usually the
versioning for the VuXML document is done with the assumption that
issues will be resolved by updating to the latest version available from
the vendor. Under a ports freeze this assumption is not correct. I've
CC'ed nectar@ for this reason. Once this document is updated then
portaudit will no longer flag them.
The CUPS port still has not been updated to resolve its "print queue
browser denial-of-service" issue. However, there is a PR from the
maintainer to update to the latest, "safe" version:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/71811
> I just wondered if there is a policy to not upgrade ports under any
> circumstances, or if this is just an oversight? I can imagine this would make
> me very twitchy if I was running production boxes during a freeze....
> or have I missed something, and this doesn't affect 4.* users?
Updates for security issues generally happen very promptly during ports
freezes. I think these cases are just oversight, either in the
reporting of updates (Mozilla/Firefox) or the actual updating itself (CUPS).
Jon
More information about the freebsd-current
mailing list