Missing binary package security updates?
Bryan Drewery
bdrewery at FreeBSD.org
Thu Apr 10 20:05:40 UTC 2014
On 4/10/2014 1:35 PM, Janne Snabb wrote:
> Hi,
>
> I recently started using the new fancy pkgng binary packages on some
> machines that I maintain. I thought I could save a lot of time as I
> would not need to keep compiling ports manually any more.
>
> Unfortunately it seems that it was not such a good idea:
>
> # date
> Thu Apr 10 21:27:22 EEST 2014
> # pkg audit
> openssl-1.0.1_9 is vulnerable:
> OpenSSL -- Multiple vulnerabilities - private data exposure
> CVE: CVE-2014-0076
> CVE: CVE-2014-0160
> WWW: http://portaudit.FreeBSD.org/5631ae98-be9e-11e3-b5e3-c80aa9043978.html
>
> 1 problem(s) in the installed packages found.
> # pkg upgrade
> Updating repository catalogue
> Nothing to do
> #
>
> This is on FreeBSD 8/i386.
>
> I think I have noticed binary package updates only about once a week. Is
> my observation correct? Why such an infrequent update cycle? If there is
> some real reason to build package updates so rarely, would it be
> possible to hasten the cycle whenever serious issues like CVE-2014-0160
> are found?
(I am involved in building the packages)
Yes packages currently start building Tuesday night. It takes until
Saturday/Sunday for all release/arch to finish building. As each
release/arch is finished the packages are uploaded.
I did want to expedite updating this package but was blocked by a number
of things. I regret we did not, and will not, have a package available
sooner for all release/archs.
I have started an internal discussion on building packages more
frequently for security updates.
>
> Right now pkgng binary packages are not really suitable for production
> use because of lacking essential security updates. (There should be a
> loud and clear warning about this in the Handbook if it stays this way?)
>
> Best Regards,
>
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140410/77908a4e/attachment.sig>
More information about the freebsd-security
mailing list