Keeping VuXML DB updated

Kurt Jaeger lists at
Sat May 6 09:32:15 UTC 2017


> Due to a vulnerability issue earlier with a port, I received some kind 
> emails of using the command below to update the VuXML DB (which is not a 
> part of the ports tree).
> I did so on my server and got the following output:
> --- cut ---
>  > pkg audit -F
> vulnxml file up-to-date
> tiff-4.0.7_1 is vulnerable:
> tiff -- multiple vulnerabilities
> CVE: CVE-2017-7602

> What is the next procedure to follow; should I inform the port 
> maintainer of the reported port

portmgr knows about this, but there's no solution right now.

> ((ports are a user group effort) ) or 
> should I update this port with "DISABLE_VULNERABILITIES=yes" ?

There are ports that depend on tiff, and maybe you are using one
of them. If you do not need those other ports, remove tiff.

Otherwise: this (DISABLE_VULNERABILITIES) is, while not perfect,
the next step.

pi at            +49 171 3101372                         3 years to go !

More information about the freebsd-ports mailing list