pkg audit and port upgrades

Matthew Seaman matthew at FreeBSD.org
Thu Sep 15 10:48:57 UTC 2016


On 15/09/2016 10:58, Roland van Laar via freebsd-questions wrote:
> My question: How do I know if a vulnerable port has had an update?
> 
> I get daily emails from pkg audit telling me about vulnerabilities in my
> ports.
> Today it was curl, but the latest curl hasn't yet had an update.
> 
> I update the ports tree and rebuild my ports.
> Only to notice during the build that it stops the build because the port
> is still vulnerable.
> 
> => Please update your ports tree and try again.
> => Note: Vulnerable ports are marked as such even if there is no update
> available.
> => If you wish to ignore this vulnerability rebuild with 'make
> DISABLE_VULNERABILITIES=yes'
> *** Error code 1
> 
> Is there a way to know before I build my ports to know if there is a
> vulnerability?

Yeah -- it's relatively easy to see where there are updates available
for existing and vulnerable packages.  You just need to calculate the
intesection between two lists:

1) All of the packages installed on your system with known
vulnerabilities, generated by eg.

   pkg audit -q

2) All of the packages on your system with available updates
generated by eg.

   pkg version -vRL=

The 'R' option means 'use the repository catalogue' -- if you're going
to be building locally from ports you might want to substitute 'I' (use
the ports INDEX -- but be sure this is up to date) or 'P' (use the ports
tree directly -- this is accurate, but slow.)

Working out if the latest available version of a package is still
vulnerable -- that's another story.  pkg-audit(8) doesn't accept a
package name + version to test if that particular version is vulnerable.
 That would make a good addition to its functionality.

What's left?  You can check the database pkg-audit(8) uses, which can be
found in /var/db/pkg/vuln.xml.  Not that XML is particularly friendly
for traditional shell scripting.  Given there's usually only a few
vulnerable packages on a system at any one time, manually comparing
against the versions given there might be feasible.  Or use the rendered
output from https://vuxml.freebsd.org/freebsd/index.html

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160915/b111bd0d/attachment.sig>


More information about the freebsd-questions mailing list