ports freeze and portaudit alerts
nectar at FreeBSD.org
Mon Oct 11 09:27:16 PDT 2004
On Oct 10, 2004, at 4:20 PM, Jon Noack wrote:
> On 10/10/04 15:43, Dick Davies wrote:
>> But I'm a little alarmed by the pre 5.3 release ports freeze -
>> portaudit has
>> flagged an awful lot of packages as having holes and refused to
>> install them.
>> Off the top of my head : mozilla, cups (and therefore most of kde) and
>> firefox/bird. Shouldn't serious bugs (like the JPEG vuln
>> in firefox for example) to override the freeze?
> The Mozilla/Firefox ports have been updated with patches to resolve
> the security issues. See the latest commits for more info:
> It seems the real issue for Mozilla/Firefox is that the VuXML document
> was not updated to reflect the patches being applied to the older
> versions (see http://www.vuxml.org/freebsd/index.html). Usually the
> versioning for the VuXML document is done with the assumption that
> issues will be resolved by updating to the latest version available
> from the vendor. Under a ports freeze this assumption is not correct.
> I've CC'ed nectar@ for this reason. Once this document is updated
> then portaudit will no longer flag them.
I'm afraid your assumption is not correct, Jon. Some of the Mozilla
etc vulnerabilities described in the VuXML document have been fixed by
back-porting the fixes, but not all of them. The contents of the VuXML
document are correct in this case, AFAIK.
I supplied the fixes for the most critical issues, and those were
applied by Joe. I'm afraid I did not/do not have time to back port and
test the scripting fixes as well. It was my recommendation that the
ports be upgraded to the latest release before 5.3, but Joe reports
that the latest release of Mozilla etc causes build problems in other
dependent ports. (This is why I went through the trouble of
back-porting the most critical fixes.)
Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org
More information about the freebsd-current