From owner-freebsd-ports@freebsd.org Thu Oct 8 02:03:22 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E3DB79D18A7 for ; Thu, 8 Oct 2015 02:03:22 +0000 (UTC) (envelope-from parv@pair.com) Received: from dnvrco-oedge-vip.email.rr.com (dnvrco-outbound-snat.email.rr.com [107.14.73.230]) by mx1.freebsd.org (Postfix) with ESMTP id AF5571AD7 for ; Thu, 8 Oct 2015 02:03:22 +0000 (UTC) (envelope-from parv@pair.com) Received: from [66.91.233.235] ([66.91.233.235:39621] helo=holstein.holy.cow) by dnvrco-oedge01 (envelope-from ) (ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTP id CF/EE-07424-1AEC5165; Thu, 08 Oct 2015 02:02:09 +0000 Received: by holstein.holy.cow (Postfix, from userid 1000) id A10305D05; Wed, 7 Oct 2015 16:02:25 -1000 (HST) Date: Wed, 7 Oct 2015 16:02:25 -1000 From: parv@pair.com To: f-ports Subject: Working of "pkg audit " Message-ID: <20151008020225.GA2285@holstein.holy.cow> Mail-Followup-To: f-ports MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-RR-Connecting-IP: 107.14.64.118:25 X-Authority-Analysis: v=2.1 cv=TOTLSjVa c=1 sm=1 tr=0 a=lTVOjstemKd+xnJOf5b3+g==:117 a=lTVOjstemKd+xnJOf5b3+g==:17 a=ayC55rCoAAAA:8 a=Ymsr-CWnAAAA:8 a=kj9zAlcOel0A:10 a=5lJygRwiOn0A:10 a=6I5d2MoRAAAA:8 a=pQs5aej7AAAA:8 a=ZqJcXwd58YfHJ1vD_DIA:9 a=CjuIK1q_8ugA:10 a=WsX6kwJdmUYA:10 X-Cloudmark-Score: 0 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2015 02:03:23 -0000 (Sent to -questions@ on Oct 3 but hadn't got any reply, so sending to @ports now. Also, situation below is before www/firefox was updated to 41.0.) I want to know if running "pkg audit" makes any sense for a port installed that has not been updated officially yet. Also, is it possible to supplement the vuxml catalog for such ports installed? Firefox 39 or 40 had been installed from ports. I got tired of seeing package being vulnerable on every ports tree update process that rebuilds "security/vuxml". As the "www/firefox" port has not been updated yet, so I fetched source of firefox 41.0.1; updated distinfo; installed (after rebuilding databases/sqlite3 with DBSTAT option & moving out "files/patch-bug702179" out of "files"). Now I see vulnerability warnings going back to 2004, which are just useless & rather amusing. At least the installed firefox is not vulnerable any more (yet). Apparently per pkg-version # pkg version -t 41.0.1 41.0,1 < ... & ... https://vuxml.freebsd.org/freebsd/2d56c7f4-b354-428f-8f48-38150c607a05.html ... 41.0.1 is still vulnerable. But according to ... https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/ ... there are no outstanding vulnerabilities. Now I am confused. --