From owner-freebsd-questions@freebsd.org Sun Nov 27 09:45:40 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99A94C58788 for ; Sun, 27 Nov 2016 09:45:40 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2FBC01B6 for ; Sun, 27 Nov 2016 09:45:40 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mail-wm0-x22e.google.com with SMTP id t79so127979832wmt.0 for ; Sun, 27 Nov 2016 01:45:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/C8jZrZ061lX2o5SMAlSGg8HE22/x6NaRUi+faUpDH8=; b=STaaMNSy/aA5aBEcOwUT8pN3lBbps9OeuGDXfhKr0JMsbi4w0h7ydJE9JOVVx686P2 wfyZPMXspEwgaUlenPCKh7gVP1P4/AsxkI0FN9oBaO7mc49REBsGitod0NH1svOMMJnB 6v6IYDMcp1/qgC3EK2V//fn3+1VVPM3ToNAuNpMsN6A4UK5tBQ5xCv8HvgfAI9Dbbw9r TeCrpZ18aFOZVAEUFUEtthM8SgmfOjyajsh9Qf8yvVYfGKmuo6z2W5Y0Mv90rFtD4PCA REmERMRbQAZoNUNX5ZKbUHB0nnFVDvWzCSk3L5ardKK/v+WhFdFTepE6N4OOebq+poLp zaKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/C8jZrZ061lX2o5SMAlSGg8HE22/x6NaRUi+faUpDH8=; b=AYfJ9bJXBwUF7mWXesCNlv+vLwQD4agfj4kNsV/7McyEuAgXqL4MbX6QTUcLM5/rNP zAw8VhGGV4bkEZoSNVDm/OCeQ1FZI6TQk3weU8yEcuUEgr01lEA3LyCRk4JYCqAMxtxb BzJCsFDe4kb432psBtjr72zabUd86Vk0zf6Yr59ilpGqImvYJazztcVnqRWnAzi5ujEo Om79W2y2b/O84F54Iks0aLnH4mzFapPaa4N/AjS/MmxbI1iHF+T1+GsjJtwx6ecQZ8/r CKY94YAIhnKbK+T0blTXYCni2PDIg+Vcq1ZxjDSqSKsP2CPrUShMU1BRbaLSyAqbAsMj jIcw== X-Gm-Message-State: AKaTC03KfIuufZgiuU9g8IuoHf2QwCL+k9u6jXOqtOJDjXKSZLncp+iec7hxfVepI+vZ/t59B3HJRKgwtU/HYg== X-Received: by 10.28.131.72 with SMTP id f69mr13710473wmd.135.1480239938037; Sun, 27 Nov 2016 01:45:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.44.69 with HTTP; Sun, 27 Nov 2016 01:44:57 -0800 (PST) In-Reply-To: <868ts5uw17.wl-herbert@mailbox.org> References: <868ts5uw17.wl-herbert@mailbox.org> From: Odhiambo Washington Date: Sun, 27 Nov 2016 12:44:57 +0300 Message-ID: Subject: Re: Dealing with (multiple) pkgs with security vulnerabilities. To: "Herbert J. Skuhra" Cc: User Questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2016 09:45:40 -0000 On 27 November 2016 at 12:11, Herbert J. Skuhra wrote: > Odhiambo Washington wrote: > > > > Hi, > > Part of my security run output contains a long list of packages with > > vulnerabilities. > > 'pkg audit -F' returns a listing of these pkgs with enough details, but > > pkg update && pkg upgrade returns nothing so I suppose there is a better > > way to deal with these. > > Output of 'uname -a' is missing. > Yeah, I am sorry I didn't supply that. I forgot. > > - you are running a version that is EOL (e.g.: FreeBSD 8.x) > That is so true!! But I also have some servers running 9.3 and 10.3. Would it be different dealing with this situation in 9.3|10.3 ?? > => update base first and then try pkg update/upgrade again > - you are running a platform (e.g. arm) for which packages are not > built/updated > - the url in your repository file (e.g. /etc/pkg/FreeBSD.conf) is wrong > url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", > > I know I can manually do 'make -C /path/to/port/directory clean reinstall > > clean', but that is so manual and tirng even just for 10 pkgs to be > updated. > > > > What is the easiest way of doing a batch update for all the listed pkgs? > > - checkout/update /usr/ports with svn(lite) or portsnap > I use portsnap. > - install ports-mgmt/portmaster > I use portupgrade. > - run 'portmaster -a' > So, `portupgrade -1` ?? Okay. I always find that scary. I guess I have to upgrade these systems to 10.3, or maybe 11. > You haven't updated for a long time (more than a year). So maybe it's > better to remove all installed ports (pkg delete -a) and reinstall > them one by one. > Sounds sensibe, but I usually just update the ports that I know as most active - those for which the server was build. Anyway, I get the point now. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."