Vulnerability check disabled

Ion-Mihai Tetcu itetcu at apropo.ro
Wed Feb 4 11:24:41 PST 2004 

On Wed, 04 Feb 2004 13:25:44 -0500
Joe Marcus Clarke <marcus at marcuscom.com> wrote:

> On Wed, 2004-02-04 at 13:17, Ion-Mihai Tetcu wrote:
> > On Wed, 4 Feb 2004 19:31:27 +1100
> > Gautam Gopalakrishnan <ggop at myrealbox.com> wrote:
> > 
> > > Hello,
> > > 
> > > Hope I'm not missing something obvious, but since today morning, I've
> > > been getting wierd warnings when running make in the ports:
> > > 
> > > [madras!/usr/ports/www/apache13]# make fetch-recursive
> > > ===> Fetching all distfiles for apache-1.3.29_1 and dependencies
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > [madras!/usr/ports/www/apache13]# cd ../mod_php4
> > > [madras!/usr/ports/www/mod_php4]# make fetch
> > > ===>  Vulnerability check disabled
> > > [madras!/usr/ports/www/mod_php4]# 
> > > 
> > > Happened in www/zope as well.
> > 
> > What about reading 
> > /usr/ports/CHANGES ?
> 
> Yep, that will talk about it.

I hope did get a sleep since freezing the ports ;) ?
 
> > From: Joe Marcus Clarke <marcus at FreeBSD.org>
> > To: ports at FreeBSD.org, questions at FreeBSD.org, current at FreeBSD.org
> > Subject: HEADS UP: MAJOR changes to the ports system
> > thread on ports ?
> 
> This thread doesn't cover the vulnerability change.  Basically, we now
> have the ability to keep a dynamic database of ports vulnerabilities
> which the ports system can check.  If you do not have the database
> installed, you'll get the benign Vulnerability check disabled message.

>>> Type: FEATURE

 Title: Do not install ports with security vulnerabilities

 Affects: bsd.port.mk

 Description: A new vulnerabilities database has been added to the
 ports system in order to keep more accurate, up-to-date, track of
 security vulnerabilities.  The ports system now knows how to query
 that database and dynamically prevents the installation of vulnerable
 ports.

 PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=62039

>>> Submitted by: eik

Now, maybe this could be clarified a little bit in CHANGES ?

Like:
__

For using the new security feature of ports infrastructure, you should:
cd /usr/ports/security/portaudit; make install
/usr/local/etc/periodic/daily/330.fetchaudit

To test:
cd /usr/ports/security/vulnerability-test-port
make INSTALLATION_DATE=`date -u -v-14d "+%Y.%m.%d"` install

A message like this should appear:
 ===>  vulnerability-test-port-2004.01.14 has known vulnerabilities:
 >> Not vulnerable, just a test port (database: 2004-01-28).
    Reference: <http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vulnerability-test-port/>
 >> Please update your ports tree and try again.
 *** Error code 1

If you don't install this port, for the majority of make's targtets you
will get the following message:
===>  Vulnerability check disabled
__


IMHO, as this is a log desired feature, a news on annouce@ / security /
security-notifications could be send.

Now, what is the status of the vulnerabilities database ?

-- 
IOnut
Unregistered ;) FreeBSD user

More information about the freebsd-questions mailing list