Opera vulnerability, marked forbidden instead of update?
Matthieu Volat
mazhe at alkumuna.eu
Fri Nov 23 13:37:44 UTC 2012
On Fri, 23 Nov 2012 09:00:59 +0000
Matthew Seaman <matthew at freebsd.org> wrote:
> On 23/11/2012 08:26, Matthieu Volat wrote:
> > I've noticed that www/opera was marked FORBIDDEN because of a security hole:
> > http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head
> >
> > The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it.
> >
> > I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed.
> >
> > I've bumped the versions in the Makefile
> > OPERA_VER?= 12.11
> > OPERA_BUILD?= 1661
> > and made a `make makesum reinstall`, there was no apparent problem.
>
> Marking a port 'FORBIDDEN' is a quick response measure that can be done
> without having to worry about time consuming testing the of port and so
> forth. It's an interim measure taken to ensure that users do not
> unwittingly install software with known vulnerabilities.
>
> Yes, updating the port to a non-vulnerable version is the ideal
> response, but that may not be possible to do straight away. You've
> sketched out the first couple of steps a port maintainer would take, but
> that 'there was no apparent problem' statement would need to be backed
> up by some more rigorous testing before a maintainer would feel
> confident in committing the update.
>
> Cheers,
>
> Matthew
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
Hello and thanks for the explanation,
Cheers,
--
Matthieu Volat <mazhe at alkumuna.eu>
More information about the freebsd-ports
mailing list