From owner-freebsd-ports@FreeBSD.ORG Fri Nov 23 09:01:11 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3F7066D4 for ; Fri, 23 Nov 2012 09:01:11 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id C05F38FC0C for ; Fri, 23 Nov 2012 09:01:10 +0000 (UTC) Received: from rufus.webfusion.com (mail.heartinternet.co.uk [79.170.40.31]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id qAN910qk003169 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 23 Nov 2012 09:01:07 GMT (envelope-from matthew@freebsd.org) DKIM-Filter: OpenDKIM Filter v2.7.1 smtp.infracaninophile.co.uk qAN910qk003169 Authentication-Results: smtp.infracaninophile.co.uk/qAN910qk003169; dkim=none reason="no signature"; dkim-adsp=none (insecure policy) X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host mail.heartinternet.co.uk [79.170.40.31] claimed to be rufus.webfusion.com Message-ID: <50AF3B4B.9030704@freebsd.org> Date: Fri, 23 Nov 2012 09:00:59 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-ports@freebsd.org Subject: Re: Opera vulnerability, marked forbidden instead of update? References: <20121123092631.3b0aff2f0902e02098c273b4@alkumuna.eu> In-Reply-To: <20121123092631.3b0aff2f0902e02098c273b4@alkumuna.eu> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00,SPF_SOFTFAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Nov 2012 09:01:11 -0000 On 23/11/2012 08:26, Matthieu Volat wrote: > I've noticed that www/opera was marked FORBIDDEN because of a security hole: > http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head > > The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. > > I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. > > I've bumped the versions in the Makefile > OPERA_VER?= 12.11 > OPERA_BUILD?= 1661 > and made a `make makesum reinstall`, there was no apparent problem. Marking a port 'FORBIDDEN' is a quick response measure that can be done without having to worry about time consuming testing the of port and so forth. It's an interim measure taken to ensure that users do not unwittingly install software with known vulnerabilities. Yes, updating the port to a non-vulnerable version is the ideal response, but that may not be possible to do straight away. You've sketched out the first couple of steps a port maintainer would take, but that 'there was no apparent problem' statement would need to be backed up by some more rigorous testing before a maintainer would feel confident in committing the update. Cheers, Matthew