PHP vulnerability and portupgrade
Ladislav Bodnar
distro.watch at msa.hinet.net
Tue Dec 21 17:52:00 PST 2004
On Wednesday 22 December 2004 09:06, Mark Andrews wrote:
> > Hello,
> >
> > Due to the recently discovered vulnerability in PHP versions older than
> > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it
> > is a good way to keep the ports collection up-to-date with respect to
> > security issues. I ran cvsup on the security branch (tag=RELENG_5_3),
> > then portsdb -Uu. However, portupgrade didn't find any ports that
> > needed an upgrade.
> >
> > Am I doing something wrong or is portupgrade not the best tool to keep
> > up with security advisories in ports?
>
> cvsup of ports does not use tag=RELENG_5_3.
>
> e.g.
> *default host=cvsup.FreeBSD.org
> *default base=/usr
> *default prefix=/usr
> *default release=cvs
> *default delete use-rel-suffix
> *default tag=.
> ports-all
>
> Use portaudit to track security issues in ports.
Thanks a lot for your reply. If I understand things correctly, I need to
maintain two cvsup files - one that tracks security issues in the base
FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports
collection (tag=. , ports-all). Then every time I receive a FreeBSD
security advisory I run cvsup on the former, and every time portaudit tells
me about a new security issue in the ports collection, I run cvsup on the
latter, then use portupgrade to upgrade vulnerable ports.
Is this correct?
I went through the security chapter of the FreeBSD handbook, but I found it
disappointing that it doesn't explain how to keep a FreeBSD system
up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg
Lehey doesn't even mention the existence of portaudit.
Thanks again :-)
More information about the freebsd-stable
mailing list