cvsup and portupgrade

Alex Zbyslaw xfb52 at
Sun Oct 8 09:11:50 PDT 2006

Zbigniew Szalbot wrote:

> On Sun, 8 Oct 2006, Armin Pirkovitsch wrote:
>> Well another cvsup won't solve the problem since php hasn't been patched
>> yet. However if you're really sure you need and want this kind of port
>> installed just set the environment variable DISABLE_VULNERABILITIES.
>> However - you should be aware that you'd install a program with a
>> security hole.
> You are right - it did not help. I do not so much want to install php 
> with a security hole as much as I want to patch the hole. From the 
> portaudit report I understood that I need to update immediately. And 
> hence I am trying to do just that. But as a newbie, I guess I am 
> making lots of mistakes on the way.

Portaudit produces alarmist messages for any and every security bug, and 
the "advice" it gives to immediately de-install ports is frequently 
over-the-top and often unachievable.

Follow the links you get from portaudit to read up about the specific 
vulnerabilities to see how they might affect you and the machines you 
run.  Many vulnerabilities only occur in very specific circumstances or 
with very particular option combinations or methods of use.  Your usage 
of any particular application may never go near the security hole.

If there are security holes you are worried about, then cvsup regularly 
and keep an eye out for you package having an upgrade ("portversion -L=" 
and look for "<").  Or just look regularly for your port in and see when the version number 


More information about the freebsd-questions mailing list