Date: Thu, 15 Sep 2016 11:48:41 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: pkg audit and port upgrades Message-ID: <eac996cf-c23a-3627-effc-5ade4540b2f2@FreeBSD.org> In-Reply-To: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net> References: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DfeBimuwMQ6A6EFsLRAh2BF7Tw7Ww3VVp Content-Type: multipart/mixed; boundary="mQojCNCukBJgnec5SjBeJUUjoEXneUOBN"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <eac996cf-c23a-3627-effc-5ade4540b2f2@FreeBSD.org> Subject: Re: pkg audit and port upgrades References: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net> In-Reply-To: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net> --mQojCNCukBJgnec5SjBeJUUjoEXneUOBN Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 15/09/2016 10:58, Roland van Laar via freebsd-questions wrote: > My question: How do I know if a vulnerable port has had an update? >=20 > I get daily emails from pkg audit telling me about vulnerabilities in m= y > ports. > Today it was curl, but the latest curl hasn't yet had an update. >=20 > I update the ports tree and rebuild my ports. > Only to notice during the build that it stops the build because the por= t > is still vulnerable. >=20 > =3D> Please update your ports tree and try again. > =3D> Note: Vulnerable ports are marked as such even if there is no upda= te > available. > =3D> If you wish to ignore this vulnerability rebuild with 'make > DISABLE_VULNERABILITIES=3Dyes' > *** Error code 1 >=20 > Is there a way to know before I build my ports to know if there is a > vulnerability? Yeah -- it's relatively easy to see where there are updates available for existing and vulnerable packages. You just need to calculate the intesection between two lists: 1) All of the packages installed on your system with known vulnerabilities, generated by eg. pkg audit -q 2) All of the packages on your system with available updates generated by eg. pkg version -vRL=3D The 'R' option means 'use the repository catalogue' -- if you're going to be building locally from ports you might want to substitute 'I' (use the ports INDEX -- but be sure this is up to date) or 'P' (use the ports tree directly -- this is accurate, but slow.) Working out if the latest available version of a package is still vulnerable -- that's another story. pkg-audit(8) doesn't accept a package name + version to test if that particular version is vulnerable. That would make a good addition to its functionality. What's left? You can check the database pkg-audit(8) uses, which can be found in /var/db/pkg/vuln.xml. Not that XML is particularly friendly for traditional shell scripting. Given there's usually only a few vulnerable packages on a system at any one time, manually comparing against the versions given there might be feasible. Or use the rendered output from https://vuxml.freebsd.org/freebsd/index.html Cheers, Matthew --mQojCNCukBJgnec5SjBeJUUjoEXneUOBN-- --DfeBimuwMQ6A6EFsLRAh2BF7Tw7Ww3VVp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJX2nyQXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATd3MP/AuV+mg0djofQ3fxdZlJfYNj OXrxeR9nlpA2Norx64elKB7GDidXC1pBAAwtG674qmwHAOem02pS9AhqFyqGRNni t7msR5caLFHu0HpJYpX/Pv15ImpkZr7cEHjywJtgparCssdTpejnpCuwOnc+ZGIa 8X4/TpVRwK6D3RvLUynxrMhh6Ua0Bqs0+GSVsfye+OY7ofsKCY/Bej4pUw1fXLAc FnsqWwMuuwFutoa8iP0U6Fq9zHuhx336tm4/e5v1mp/Ht45uRBnixrD1NDaW5cfj P9Fc2a+tBHA4RBMBTdICAgM0ivxWBLjmm9ps5tjsONdvubq7fvMRkHbKovSYohK1 6KY7swXuFbeFN542tMIevDTGTdkgiO0ex1ISpuhTIduSRiglLJKDI5AW0/oFMeE9 KyqvPqThRAybRiF9e2zfppBT8rcnbK4WyWLwK/+fKYre4pJig0l3f2Y+GgCcVHHN ylrJmpBfGUSycrOuUvCbLRblSIcLPbY/020arc9FusR2JtdKdzamGIMQpI8nn5tq f9/5J2zHBuv3Ka69eRXkOkyevnE+LEzXwYSTM3gB9bljqOKBBDOolos8V/jPF+mO ld+RzAZ3jlbH8xE6KmrZ9wsT+Plponpkh4g3xjtxHwM3b6ci1iLBedlpSkx7DWTS +RJz1O1vGzupYHrohUYT =NHQw -----END PGP SIGNATURE----- --DfeBimuwMQ6A6EFsLRAh2BF7Tw7Ww3VVp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eac996cf-c23a-3627-effc-5ade4540b2f2>