ports freeze and portaudit alerts

Jacques Vidrine nectar at FreeBSD.org
Mon Oct 11 09:27:16 PDT 2004

On Oct 10, 2004, at 4:20 PM, Jon Noack wrote:
> On 10/10/04 15:43, Dick Davies wrote:
>> But I'm a little alarmed by the pre 5.3 release ports freeze - 
>> portaudit has
>> flagged an awful lot of packages as having holes and refused to 
>> install them.
>> Off the top of my head : mozilla, cups (and therefore most of kde) and
>> firefox/bird.  Shouldn't serious bugs (like the JPEG vuln
>> in firefox for example) to override the freeze?
> The Mozilla/Firefox ports have been updated with patches to resolve 
> the security issues.  See the latest commits for more info:
> http://www.freshports.org/www/mozilla
> http://www.freshports.org/www/firefox
> It seems the real issue for Mozilla/Firefox is that the VuXML document 
> was not updated to reflect the patches being applied to the older 
> versions (see http://www.vuxml.org/freebsd/index.html).  Usually the 
> versioning for the VuXML document is done with the assumption that 
> issues will be resolved by updating to the latest version available 
> from the vendor.  Under a ports freeze this assumption is not correct. 
>  I've CC'ed nectar@ for this reason.  Once this document is updated 
> then portaudit will no longer flag them.

I'm afraid your assumption is not correct, Jon.  Some of the Mozilla 
etc vulnerabilities described in the VuXML document have been fixed by 
back-porting the fixes, but not all of them.  The contents of the VuXML 
document are correct in this case, AFAIK.

I supplied the fixes for the most critical issues, and those were 
applied by Joe.  I'm afraid I did not/do not have time to back port and 
test the scripting fixes as well.  It was my recommendation that the 
ports be upgraded to the latest release before 5.3, but Joe reports 
that the latest release of Mozilla etc causes build problems in other 
dependent ports.  (This is why I went through the trouble of 
back-porting the most critical fixes.)

Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org

More information about the freebsd-current mailing list