Opera vulnerability, marked forbidden instead of update?
Matthew Seaman
matthew at freebsd.org
Fri Nov 23 09:01:11 UTC 2012
On 23/11/2012 08:26, Matthieu Volat wrote:
> I've noticed that www/opera was marked FORBIDDEN because of a security hole:
> http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head
>
> The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it.
>
> I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed.
>
> I've bumped the versions in the Makefile
> OPERA_VER?= 12.11
> OPERA_BUILD?= 1661
> and made a `make makesum reinstall`, there was no apparent problem.
Marking a port 'FORBIDDEN' is a quick response measure that can be done
without having to worry about time consuming testing the of port and so
forth. It's an interim measure taken to ensure that users do not
unwittingly install software with known vulnerabilities.
Yes, updating the port to a non-vulnerable version is the ideal
response, but that may not be possible to do straight away. You've
sketched out the first couple of steps a port maintainer would take, but
that 'there was no apparent problem' statement would need to be backed
up by some more rigorous testing before a maintainer would feel
confident in committing the update.
Cheers,
Matthew
More information about the freebsd-ports
mailing list