Opera vulnerability, marked forbidden instead of update?
freebsd at byshenk.net
Sat Nov 24 23:13:31 UTC 2012
On Fri, 23 Nov 2012 09:00:59 +0000 Matthew Seaman <matthew at freebsd.org> wrote:
> On 23/11/2012 08:26, Matthieu Volat wrote:
> > I've noticed that www/opera was marked FORBIDDEN because of a security hole:
> > http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head
> > The opera software compagny advisory indeed mark this bug as high severity,
> > and mention that there is an update to fix it.
> > I am not familiar with the security process in ports, but would not it be
> > better to update the version? Marking it FORBIDDEN do not do much for the
> > userbase that does already have it installed.
> > I've bumped the versions in the Makefile
> > OPERA_VER?= 12.11
> > OPERA_BUILD?= 1661
> > and made a `make makesum reinstall`, there was no apparent problem.
> Marking a port 'FORBIDDEN' is a quick response measure that can be done
> without having to worry about time consuming testing the of port and so
> forth. It's an interim measure taken to ensure that users do not
> unwittingly install software with known vulnerabilities.
> Yes, updating the port to a non-vulnerable version is the ideal
> response, but that may not be possible to do straight away. You've
> sketched out the first couple of steps a port maintainer would take, but
> that 'there was no apparent problem' statement would need to be backed
> up by some more rigorous testing before a maintainer would feel
> confident in committing the update.
Just a comment that, for any USERS who would like to take a
chance with updating their Opera (rather than taking a chance
running the vulnerable version), just modifying the Makefile
as described above works to provide the update.
I've updated www/opera and www/opera-linuxplugins, and my new
Opera is running fine:
System amd64, 8.3-STABLE
greg byshenk - gbyshenk at byshenk.net - Leiden, NL - Portland, OR USA
More information about the freebsd-ports