From owner-freebsd-questions@FreeBSD.ORG Sat May 21 16:58:21 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EE0316A4D0 for ; Sat, 21 May 2005 16:58:21 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C77643DAA for ; Sat, 21 May 2005 16:58:21 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B3356513E4; Sat, 21 May 2005 09:58:17 -0700 (PDT) Date: Sat, 21 May 2005 09:58:17 -0700 From: Kris Kennaway To: Robert S Message-ID: <20050521165817.GA19062@xor.obsecurity.org> References: <7093dffb05052106296c487773@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline In-Reply-To: <7093dffb05052106296c487773@mail.gmail.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-questions@freebsd.org Subject: Re: portaudit: recommended packages can't be installed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2005 16:58:21 -0000 --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 21, 2005 at 01:29:11PM +0000, Robert S wrote: > 8I've just started playing around with FreeBSD. One of my main > priorities of an OS is ease of upgrading. If I run portaudit, I get a > list of insecure packages (here is an excerpt from the output): >=20 > Affected package: firefox-1.0.3,1 > Type of problem: mozilla -- code execution via javascript: IconURL > vulnerability. > Reference: >=20 > Affected package: kdelibs-3.4.0_1 > Type of problem: kdelibs -- kimgio input validation errors. > Reference: >=20 > 4 problem(s) in your installed packages found. >=20 > You are advised to update or deinstall the affected package(s) immediatel= y. > freebsd # >=20 > If I try to replace kdelibs with a binary package, or install it > through ports (after doing a cvsup), I still get verion 3.4.0_1. >=20 > Are fixes not necessarily made available when security vulnerabilities > are found? Not instantly, of course..and in some cases they are not fixed for a long time. The third party software in the ports collection is maintained to different standards depending on the project. If you have questions, you should contact those third party developers. > Also -- is there a similar utility to portaudit and freebsd-update, > that can be used on the base operating system (not through ports)? freebsd update works on the base system. Kris --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCj2ipWry0BWjoQKURAnmpAKD5a0g6LceUqGDsXzTaxR+rMyFJlwCcC0ze ubYBEQHJYMGgD6YfAdjbFuo= =fCnG -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz--