PHP vulnerability and portupgrade

Mark Andrews Mark_Andrews at isc.org
Tue Dec 21 18:00:50 PST 2004 

> On Wednesday 22 December 2004 09:06, Mark Andrews wrote:
> > > Hello,
> > >
> > > Due to the recently discovered vulnerability in PHP versions older than
> > > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it
> > > is a good way to keep the ports collection up-to-date with respect to
> > > security issues. I ran cvsup on the security branch (tag=RELENG_5_3),
> > > then portsdb -Uu. However, portupgrade didn't find any ports that
> > > needed an upgrade.
> > >
> > > Am I doing something wrong or is portupgrade not the best tool to keep
> > > up with security advisories in ports?
> >
> >  cvsup of ports does not use tag=RELENG_5_3.
> >
> >  e.g.
> >   *default  host=cvsup.FreeBSD.org
> >   *default  base=/usr
> >   *default  prefix=/usr
> >   *default  release=cvs
> >   *default  delete use-rel-suffix
> >   *default  tag=.
> >   ports-all
> >
> >  Use portaudit to track security issues in ports.
> 
> Thanks a lot for your reply. If I understand things correctly, I need to 
> maintain two cvsup files - one that tracks security issues in the base 
> FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports 
> collection (tag=. , ports-all). Then every time I receive a FreeBSD 
> security advisory I run cvsup on the former, and every time portaudit tells 
> me about a new security issue in the ports collection, I run cvsup on the 
> latter, then use portupgrade to upgrade vulnerable ports.
> 
> Is this correct?

	Essentually.  When you install portaudit it will be run as
	part of the daily periodic jobs provided the FreeBSD version
	is new enough (which 5.3 is).

	How you treat each reported issue is up to you.  Some do not
	have a fix yet.  You need to decide if you can live with
	vulnerability or not.
 
> I went through the security chapter of the FreeBSD handbook, but I found it 
> disappointing that it doesn't explain how to keep a FreeBSD system 
> up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg 
> Lehey doesn't even mention the existence of portaudit.
> 
> Thanks again :-)
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the freebsd-stable mailing list