svn commit: r45838 - head/en_US.ISO8859-1/books/porters-handbook/security
Alex Kozlov
ak at FreeBSD.org
Thu Oct 16 12:30:43 UTC 2014
Author: ak (ports committer)
Date: Thu Oct 16 12:30:42 2014
New Revision: 45838
URL: https://svnweb.freebsd.org/changeset/doc/45838
Log:
- Document modern way to work with vulnerability database
- Do some rewording, remove "you" and "your" where possible (special thanks to wblock)
Reviewed by: mat, wblock
Approved by: mat, wblock
Differential Revision: https://reviews.freebsd.org/D941
Modified:
head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Thu Oct 16 09:02:51 2014 (r45837)
+++ head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Thu Oct 16 12:30:42 2014 (r45838)
@@ -114,16 +114,14 @@
also monitor it for issues requiring their
intervention.</para>
- <!-- XXX: Too much "you" in there -->
- <para>If you have committer rights you can update the VuXML
- database by yourself. So you will both help the Security
- Officer Team and deliver the crucial information to the
- community earlier. However, if you are not a committer, or
- you believe you have found an exceptionally severe
- vulnerability please do not hesitate to contact the Security
- Officer Team directly as described on the
- <link xlink:href="http://www.freebsd.org/security/#how">&os;
- Security Information</link> page.</para>
+ <para>Committers can update the <acronym>VuXML</acronym>
+ database themselves, assisting the Security Officer Team
+ and delivering crucial information to the community more
+ quickly. Those who are not committers or have discovered
+ an exceptionally severe vulnerability should not hesitate
+ to contact the Security Officer Team directly, as described
+ on the <link xlink:href="http://www.freebsd.org/security/#how">
+ &os; Security Information</link> page.</para>
<para>The VuXML database is an <acronym>XML</acronym> document.
Its source file <filename>vuln.xml</filename> is kept right
@@ -412,38 +410,19 @@
<title>Testing Changes to the VuXML Database</title>
<para>This example describes a new entry for a
- vulnerability in the package <literal>clamav</literal> that
- has been fixed in version <literal>0.65_7</literal>.</para>
+ vulnerability in the package <literal>dropbear</literal> that
+ has been fixed in version <literal>dropbear-2013.59</literal>.</para>
<para>As a prerequisite,
- <emphasis>install</emphasis> fresh versions of the ports
- <package role="port">ports-mgmt/portaudit</package>,
- <package role="port">ports-mgmt/portaudit-db</package>, and
- <package role="port">security/vuxml</package>.</para>
-
- <note>
- <para>The user running <command>packaudit</command> must have
- permission to write to its <filename>DATABASEDIR</filename>,
- typically <filename>/var/db/portaudit</filename>.</para>
-
- <para>To use a different directory, set the
- <varname>DATABASEDIR</varname> environment variable to a
- different location.</para>
-
- <para>If working in a directory other than
- <filename>${PORTSDIR}/security/vuxml</filename>, set the
- <varname>VUXMLDIR</varname> environment variable to the
- directory where <filename>vuln.xml</filename> is
- located.</para>
- </note>
+ install a fresh version of
+ <package role="port">security/vuxml</package> port.</para>
<para>First, check whether there already is an entry for this
vulnerability. If there were such an entry, it would match
the previous version of the package,
- <literal>0.65_6</literal>:</para>
+ <literal>2013.58</literal>:</para>
- <screen>&prompt.user; <userinput>packaudit</userinput>
-&prompt.user; <userinput>portaudit clamav-0.65_6</userinput></screen>
+ <screen>&prompt.user; <userinput>pkg audit dropbear-2013.58</userinput></screen>
<para>If there is none found, add a
new entry for this vulnerability.</para>
@@ -461,21 +440,10 @@
<package role="port">textproc/jade</package>.</para>
</note>
- <para>Now rebuild the <command>portaudit</command> database from
- the VuXML file:</para>
-
- <screen>&prompt.user; <userinput>packaudit</userinput></screen>
-
- <para>To verify that the <literal><affected></literal>
- section of the entry will match the correct package(s), issue this
- command:</para>
+ <para>Verify that the <literal><affected></literal>
+ section of the entry will match the correct packages:</para>
- <screen>&prompt.user; <userinput>portaudit -f /usr/ports/INDEX -r <replaceable>uuid</replaceable></userinput></screen>
-
- <note>
- <para>Please refer to &man.portaudit.1; for better
- understanding of the command syntax.</para>
- </note>
+ <screen>&prompt.user; <userinput>pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58</userinput></screen>
<para>Make sure that the entry produces no spurious matches in
the output.</para>
@@ -483,22 +451,18 @@
<para>Now check whether the right package versions are matched
by the entry:</para>
- <screen>&prompt.user; <userinput>portaudit clamav-0.65_6 clamav-0.65_7</userinput>
-Affected package: clamav-0.65_6 (matched by clamav<0.65_7)
-Type of problem: clamav remote denial-of-service.
-Reference: <http://www.freebsd.org/ports/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html>
+ <screen>&prompt.user; <userinput>pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-201
+3.58 dropbear-2013.59</userinput>
+dropbear-2012.58 is vulnerable:
+dropbear -- exposure of sensitive information, DoS
+CVE: CVE-2013-4434
+CVE: CVE-2013-4421
+WWW: http://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html
-1 problem(s) found.</screen>
+1 problem(s) in the installed packages found.</screen>
<para>The former version matches while the latter one
does not.</para>
-
- <para>Finally, verify whether the web page generated from the
- VuXML database looks like expected:</para>
-
- <screen>&prompt.user; <userinput>mkdir -p ~/public_html/portaudit</userinput>
-&prompt.user; <userinput>packaudit</userinput>
-&prompt.user; <userinput>lynx ~/public_html/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html</userinput></screen>
</sect2>
</sect1>
</chapter>
More information about the svn-doc-all
mailing list