Date: Sun, 08 Oct 2006 17:11:43 +0100 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: Zbigniew Szalbot <zbyszek@szalbot.homedns.org> Cc: freebsd-questions@freebsd.org Subject: Re: cvsup and portupgrade Message-ID: <4529233F.6060804@dial.pipex.com> In-Reply-To: <20061008155535.M17026@192.168.11.51> References: <20061008130817.G95896@192.168.11.51> <4528EB74.3060401@locolomo.org> <20061008142037.S97136@192.168.11.51> <4528F097.7010300@inode.at> <20061008154335.K98037@192.168.11.51> <452902EF.3080701@inode.at> <20061008155535.M17026@192.168.11.51>
next in thread | previous in thread | raw e-mail | index | archive | help
Zbigniew Szalbot wrote:
>
> On Sun, 8 Oct 2006, Armin Pirkovitsch wrote:
>
>> Well another cvsup won't solve the problem since php hasn't been patched
>> yet. However if you're really sure you need and want this kind of port
>> installed just set the environment variable DISABLE_VULNERABILITIES.
>> However - you should be aware that you'd install a program with a
>> security hole.
>
>
> You are right - it did not help. I do not so much want to install php
> with a security hole as much as I want to patch the hole. From the
> portaudit report I understood that I need to update immediately. And
> hence I am trying to do just that. But as a newbie, I guess I am
> making lots of mistakes on the way.
Portaudit produces alarmist messages for any and every security bug, and
the "advice" it gives to immediately de-install ports is frequently
over-the-top and often unachievable.
Follow the links you get from portaudit to read up about the specific
vulnerabilities to see how they might affect you and the machines you
run. Many vulnerabilities only occur in very specific circumstances or
with very particular option combinations or methods of use. Your usage
of any particular application may never go near the security hole.
If there are security holes you are worried about, then cvsup regularly
and keep an eye out for you package having an upgrade ("portversion -L="
and look for "<"). Or just look regularly for your port in
http://www.freebsd.org/ports/index.html and see when the version number
changes.
--Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4529233F.6060804>