From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 18:09:04 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD66F16A4CE for ; Wed, 8 Sep 2004 18:09:04 +0000 (GMT) Received: from makeworld.com (makeworld.com [198.92.228.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A73543D53 for ; Wed, 8 Sep 2004 18:09:04 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id 86EB06370; Wed, 8 Sep 2004 13:09:03 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90882-10; Wed, 8 Sep 2004 13:09:00 -0500 (CDT) Received: from [198.92.228.34] (racerx.makeworld.com [198.92.228.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by makeworld.com (Postfix) with ESMTP id 3A1EF6348; Wed, 8 Sep 2004 13:08:56 -0500 (CDT) Message-ID: <413F4AB8.3080801@makeworld.com> Date: Wed, 08 Sep 2004 13:08:56 -0500 From: Chris User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040903) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Seaman References: <413F1EC3.5010701@makeworld.com> <20040908155919.GA91355@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20040908155919.GA91355@happy-idiot-talk.infracaninophile.co.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at makeworld.com - Isn't it ironic cc: FreeBSD - Questions Subject: Re: Portaudit question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 18:09:04 -0000 Matthew Seaman wrote: > On Wed, Sep 08, 2004 at 10:01:23AM -0500, Chris wrote: > >>While running portaudit, I get the complaint; >> >>Affected package: FreeBSD-502010 >>Type of problem: multiple vulnerabilities in the cvs server code. >>Reference: >> >>Note: To disable this check add the uuid to `portaudit_fixed' in >>/usr/local/etc/portaudit.conf >> >>Am I to assume this is only if you run a cvs server? OR - >>does this relate to the SA's put out earlier this year about the src. > > > Did you read the referenced portaudit page or any of the links > supplied by it? There are several vulnerabilities, most of which > affect the CVS server, but one fairly minor that affects the CVS > client. > > The FreeBSD advisory SA-O4:07.cvs refers to a different problem: > > http://www.vuxml.org/freebsd/0792e7a7-8e37-11d8-90d1-0020ed76ef5a.html > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc > > As you can see, the VuXML entry you're getting warnings about is dated > a month after the security advisory: > > http://www.vuxml.org/freebsd/d2102505-f03d-11d8-81b0-000347a4fa7d.html > > However, the update given in the security advisory is to a version of > CVS unaffected by either vulnerability. Update your system to the > latest patchlevel and the problem will be fixed. This has been done, 5.2.1-RELEASE-p9 -- Best regards, Chris Working capital doesn't.