portsdb output and portaudit question
jan gestre
freebsd.ph at gmail.com
Mon Jul 31 18:36:43 UTC 2006
On 8/1/06, jan gestre <freebsd.ph at gmail.com> wrote:
>
>
>
> On 8/1/06, Svein Halvor Halvorsen <svein.h at lvor.halvorsen.cc> wrote:
>
> > jan gestre wrote:
> > i was trying to portupgrade ruby coz portaudit is complaining of
> > vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at
> > first i couldn't upgrade ruby coz portupgrade is complaining maybe coz
> > portaudit but someone in the list suggested this:
> >
> > # portupgrade -Rr -m DISABLE_VULNERABILITIES="yes" ruby
> >
> > whoala it installed the ruby package but still portaudit complains even
> > though the installed version is current which has no vulnerability. is
> this
> > normal? any way to fix these?
>
>
> This is expected behavior. The ports system will let you upgrade a
> vulnerable port without complaint. It will however complain if you try
> to install (or upgrade to) a version that has vulnerabilities. Since
> portupgrade complained, it's no surprise that portaudit also complains
> after the forced upgrade.
>
> This means that either the version in ports aren't fixed yet (the
> existence of a vulnerability of a prior version does not imply that said
> vulnerability is fixed in the current version), or that your ports tree
> is out of date. Seeing that the latter is not true, I would say you
> just have to wait for an updated version to appear in ports.
>
> You can create an account at freshports and ad ruby to your "watch
> list". That means you'll get notified when new versions arrive.
>
>
> i portupgrade the previous version ruby-1.8.4_8,1 to the current version
> which is ruby-1.8.4_9,1 and i also saw from the portaudit complaint that
> the new version is not anymore affected by the vulnerabilities of the old
> version meaning the maintainer already fixed this, however portaudit is
> still complaining. and how about the portsdb output? why is it complaining
> of stuff i don't have installed?
>
> i update the portaudit database and now it's no longer reporting the
> vulnerability :) which brings me back to my second question regarding the
> portsdb -Uu output, why is it complaining about those packages which i don't
> have installed?
>
many thanks in advance
More information about the freebsd-questions
mailing list