Security updates for packages?

Matthias Andree matthias.andree at
Mon Dec 13 01:41:23 UTC 2010

Am 12.12.2010 21:28, schrieb Kevin Kreamer:
> Hi,
> Having not used FreeBSD for several years, I did a fresh install yesterday
> of 8.1-RELEASE, and then used pkg_add -r to install several packages.  I
> then came across portaudit, ran it, and it indicated that I had three
> vulnerable packages (git, ruby, and sudo). Looking at
>, it appears that these were reported in July,
> August, and September respectively.
> Basically, I would think a freshly installed system would not have security
> vulnerabilities from months prior.  Is that an erroneous assumption on my
> part, am I just misunderstanding something, or do I have something
> misconfigured?  Do only ports get security updates, and not packages? Or is
> this related to the fact that I picked RELEASE, versus CURRENT or STABLE?

I'd advise to use portsnap to get an up to date ports tree (if you haven't used
it, run "portsnap fetch extract" for the first time, and every time you feel
like updating, you run "portsnap fetch update").

I'd also advise to install portmaster and upgrade your vulnerable ports with
that, i. e.:

portsnap fetch update    # or extract if you're bootstrapping
cd /usr/ports/ports-mgmt/portmaster
make install clean       # as root or toor or under sudo
less /usr/src/UPDATING   # check if there are relevant entries for your ports
portmaster sudo git ruby

That's it.   For details, see the portsnap and portmaster manuals.


Matthias Andree

More information about the freebsd-ports mailing list