From owner-freebsd-questions@FreeBSD.ORG Thu Sep 29 09:55:44 2005 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D950516A41F for ; Thu, 29 Sep 2005 09:55:44 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from smtp-out1.blueyonder.co.uk (smtp-out1.blueyonder.co.uk [195.188.213.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53ED743D49 for ; Thu, 29 Sep 2005 09:55:43 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from [82.41.253.249] ([82.41.253.249]) by smtp-out1.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Thu, 29 Sep 2005 10:56:31 +0100 Message-ID: <433BBA1D.4030606@dial.pipex.com> Date: Thu, 29 Sep 2005 10:55:41 +0100 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.11) Gecko/20050917 X-Accept-Language: en-us, pl MIME-Version: 1.0 To: Wright Jim Contractor 14MDSS/SGSI References: <200509282011.j8SKBKsQ004138@blaze.columbus.af.mil> In-Reply-To: <200509282011.j8SKBKsQ004138@blaze.columbus.af.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Sep 2005 09:56:31.0546 (UTC) FILETIME=[118141A0:01C5C4DC] Cc: "'freebsd-questions@FreeBSD.org'" Subject: Re: portaudit question..... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 09:55:45 -0000 Wright Jim Contractor 14MDSS/SGSI wrote: >I guess my question is this. > >How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest >version?? > >Or am I missing the concept altogether ? > >( I understand the process of downloading this latest version and installing >it manually. Just trying to understand and use the FreeBSD tools ) > > > IMHO, the messages from portaudit are misleadingly worded. Portaudit is correct that some of the software you installed has *some kind* of security vulnerability. But everything else it says is potentially misleading. 1) There may be no upgrade available yet. For there to be an upgrade the original code has to be fixed; in your example by the Mozilla team. Then, whoever is maintaining the port has to go through the work of fixing the new code to work on FreeBSD. For a few simple bug fixes, that may not be too hard, but it still has to be done. How long all this takes will vary from port to port. Mozilla is generally quite quick, from my experience, but xloadimage hung around for ages, not long ago. 2) The advice that you should either upgrade or de-install in unnecessarily authoritarian and frightening. De-installing may not be an option, and the actual bug may have zero affect on your environment. And the presence of a bug does not indicate the presence of an exploit. If you are worried about a particular package then follow up the links portaudit provides and make up your mind what to do. However, that fact that you have so many packages reporting problems says that either you are doing something wrong or not checking often enough. 1) cvsup your ports tree 2) either make fetchindex in /usr/ports and run portsdb -u, or run portsdb -Uu (slower but more accurate) 3) run pkg_version -L= to see what needs upgrading 4) use portupgrade to upgrade on a schedule that suits. That might be daily or monthly depending on you environment. Remember to read /usr/port/UPDATING *before* doing any upgrades. All of that except the upgrading can be automated safely to run at 3am, or any other quiet time you might have. --Alex