pkg audit and port upgrades
matthew at FreeBSD.org
Thu Sep 15 10:48:57 UTC 2016
On 15/09/2016 10:58, Roland van Laar via freebsd-questions wrote:
> My question: How do I know if a vulnerable port has had an update?
> I get daily emails from pkg audit telling me about vulnerabilities in my
> Today it was curl, but the latest curl hasn't yet had an update.
> I update the ports tree and rebuild my ports.
> Only to notice during the build that it stops the build because the port
> is still vulnerable.
> => Please update your ports tree and try again.
> => Note: Vulnerable ports are marked as such even if there is no update
> => If you wish to ignore this vulnerability rebuild with 'make
> *** Error code 1
> Is there a way to know before I build my ports to know if there is a
Yeah -- it's relatively easy to see where there are updates available
for existing and vulnerable packages. You just need to calculate the
intesection between two lists:
1) All of the packages installed on your system with known
vulnerabilities, generated by eg.
pkg audit -q
2) All of the packages on your system with available updates
generated by eg.
pkg version -vRL=
The 'R' option means 'use the repository catalogue' -- if you're going
to be building locally from ports you might want to substitute 'I' (use
the ports INDEX -- but be sure this is up to date) or 'P' (use the ports
tree directly -- this is accurate, but slow.)
Working out if the latest available version of a package is still
vulnerable -- that's another story. pkg-audit(8) doesn't accept a
package name + version to test if that particular version is vulnerable.
That would make a good addition to its functionality.
What's left? You can check the database pkg-audit(8) uses, which can be
found in /var/db/pkg/vuln.xml. Not that XML is particularly friendly
for traditional shell scripting. Given there's usually only a few
vulnerable packages on a system at any one time, manually comparing
against the versions given there might be feasible. Or use the rendered
output from https://vuxml.freebsd.org/freebsd/index.html
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 931 bytes
Desc: OpenPGP digital signature
More information about the freebsd-questions