From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 15:59:37 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F55D16A4CE for ; Wed, 8 Sep 2004 15:59:37 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 362E143D1F for ; Wed, 8 Sep 2004 15:59:36 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i88FxJPr091558 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 8 Sep 2004 16:59:19 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i88FxJgk091557; Wed, 8 Sep 2004 16:59:19 +0100 (BST) (envelope-from matthew) Date: Wed, 8 Sep 2004 16:59:19 +0100 From: Matthew Seaman To: Chris Message-ID: <20040908155919.GA91355@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Chris , FreeBSD - Questions References: <413F1EC3.5010701@makeworld.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <413F1EC3.5010701@makeworld.com> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 08 Sep 2004 16:59:20 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: FreeBSD - Questions Subject: Re: Portaudit question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 15:59:37 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 08, 2004 at 10:01:23AM -0500, Chris wrote: > While running portaudit, I get the complaint; >=20 > Affected package: FreeBSD-502010 > Type of problem: multiple vulnerabilities in the cvs server code. > Reference:=20 > > Note: To disable this check add the uuid to `portaudit_fixed' in=20 > /usr/local/etc/portaudit.conf >=20 > Am I to assume this is only if you run a cvs server? OR - > does this relate to the SA's put out earlier this year about the src. Did you read the referenced portaudit page or any of the links supplied by it? There are several vulnerabilities, most of which affect the CVS server, but one fairly minor that affects the CVS client. The FreeBSD advisory SA-O4:07.cvs refers to a different problem: http://www.vuxml.org/freebsd/0792e7a7-8e37-11d8-90d1-0020ed76ef5a.html ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.= asc As you can see, the VuXML entry you're getting warnings about is dated a month after the security advisory: http://www.vuxml.org/freebsd/d2102505-f03d-11d8-81b0-000347a4fa7d.html However, the update given in the security advisory is to a version of CVS unaffected by either vulnerability. Update your system to the latest patchlevel and the problem will be fixed. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBPyxXiD657aJF7eIRAuB0AJ9jmzKc/76uRLSEdwxdd2Nxyt+qRACfbVYB 2c6RO/H7JmAk7s4MKsuD8mU= =+RG7 -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ--