From owner-freebsd-ports@FreeBSD.ORG Fri Jul 25 12:45:12 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F2CB98AE for ; Fri, 25 Jul 2014 12:45:12 +0000 (UTC) Received: from albert.catwhisker.org (mx.catwhisker.org [198.144.209.73]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BD1412CA8 for ; Fri, 25 Jul 2014 12:45:12 +0000 (UTC) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.14.9/8.14.9) with ESMTP id s6PCj4ui058628 for ; Fri, 25 Jul 2014 05:45:05 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.14.9/8.14.9/Submit) id s6PCj4D4058627 for freebsd-ports@freebsd.org; Fri, 25 Jul 2014 05:45:04 -0700 (PDT) (envelope-from david) Date: Fri, 25 Jul 2014 05:45:04 -0700 From: David Wolfskill To: freebsd-ports@freebsd.org Subject: www/firefox vs. vulnerabilities vs. libevent --> libevent2 Message-ID: <20140725124504.GD34525@albert.catwhisker.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="g7w8+K/95kPelPD2" Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 12:45:13 -0000 --g7w8+K/95kPelPD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable /usr/ports is a working copy of head@r362876; during my daily portmaster run to update all installed ports on my laptop, I see that libevent1 is now replaced by libevent2. Apparently www/firefox had been linked against libevent, so portmaster tries to update www/firefox (after having updated several other ports). That process terminates rather abrutly, however: =3D=3D=3D>>> All >> firefox-30.0_1,1 (12/15) 0;portmaster: All >> firefox-30.0_1,1 (12/15)^G =3D=3D=3D> Cleaning for firefox-30.0_2,1 =3D=3D=3D> firefox-30.0_2,1 has known vulnerabilities: firefox-30.0_2,1 is vulnerable: mozilla -- multiple vulnerabilities CVE: CVE-2014-1561 CVE: CVE-2014-1560 CVE: CVE-2014-1559 CVE: CVE-2014-1558 CVE: CVE-2014-1557 CVE: CVE-2014-1556 CVE: CVE-2014-1555 CVE: CVE-2014-1552 CVE: CVE-2014-1551 CVE: CVE-2014-1550 CVE: CVE-2014-1549 CVE: CVE-2014-1548 CVE: CVE-2014-1547 CVE: CVE-2014-1544 WWW: http://portaudit.FreeBSD.org/978b0f76-122d-11e4-afe3-bc5ff4fb5e7b.html 1 problem(s) in the installed packages found. =3D> Please update your ports tree and try again. =3D> Note: Vulnerable ports are marked as such even if there is no update a= vailable. =3D> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VU= LNERABILITIES=3Dyes' *** [check-vulnerable] Error code 1 Stop in /common/ports/www/firefox. *** [build] Error code 1 Stop in /common/ports/www/firefox. =3D=3D=3D>>> make build failed for www/firefox =3D=3D=3D>>> Aborting update As a reality check, I did take a quick look at to see if, perchance, there were commits to www/firefox to address those reported vulnerabilities since r362876, but the most recent commit I see there now is r362887 -- and none of the commits since r362876 is about/for www/firefox (or anything related, AFAICT). So I'm left wondering how this is actually useful: I'm left with a copy of firefox installed (more or less) that has known vulnerabilities and is broken (since it's still linked against a library that no longer exists). At least I was able to use a copy of firefox on a machine I haven't started to upgrade yet (so I could refer to the cited Web page(s)). Since I'm disinclined to globally disable all vulnerability checking, I'm proceeding with updates to the ports that portmaster hadn't yet got to first, before (temporarily) disabling the checks so I can have a working graphical Web browser with which I'm familiar again. Which reminds me: the cited directive re. the libevent change (in UPDATING): "pkg delete libevent" also deleted sysutils/tmux, so the subsequent "portmaster -ad" had no clue that tmux was supposed to be rebuilt. I was able to re-install it manually, but I mention this in case it helps someone else. (Ugh. It appears that the "portmaster -aF" that I ran earlier this morning didn't actually fetch the firefox-30.0.source.tar.bz2... wait up; that should have been there already. Making me wait while that's re-fetched is ... not good: I'm trying to get this laptop updated before I go in to work this morning.... OK; I found a local copy on another machine.) Peace, david --=20 David H. Wolfskill david@catwhisker.org Taliban: Evil cowards with guns afraid of truth from a 14-year old girl. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --g7w8+K/95kPelPD2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJT0lFHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RThEMDY4QTIxMjc1MDZFRDIzODYzRTc4 QTY3RjlDOERFRjQxOTNCAAoJEIpn+cje9Bk7SxYP/RzI7QqqUdvURv87/tFDID5/ gleona5ot6YpFO/BlwwzGi7zk9qeey3LglkQxCuKtvMOBJ20uG7tT4eCIAglmrAF JUY/mCy5ZSCSgyOHauOgI/m3xAqgWkh+FCtYVCe54J07qL9tfThRhkAOj2xaJrdI lZMS+wjmJB+FVCUJ3aKub/x6nMhu017vFpJiuuZftvXkARZyazkln/Cx9KWbbJbI 7aICSc9UA1cxpncvtx3kIHzgOEZwimi5UXPKO5l2dgbGT5xTPAc8LGRYekFrMSMl LZ2iKYQW2yZd47t1bp40fTLyjqOHAzmusMqqFgeqAvCY0WsUuYiA2L7/i6DjtY9s UVS3D0ZoilHqCYUnkPmkMfIcCCDWBS1szQQYDZJMK43mE+VpHe++0dx1VMiPNm5D LWe1kbQbPged1D7Qpx7kyAQov1Oi8xn6l+jz9bFC+YH2L2H2szDLU50f01zXSmek ih68uEk7orTi/nQwNyC0O/yxYIq5aChBZYJor2EUC4EWGxxDupb7Qp+kZXMHi2AT mWRHmrvSwK/PyZXhzwV8DdLx+kNIBOVeN6z9yjlzdOnJjQSg09IuieVcwUs9ezFd Dr6XZhffv9VtFg3F2yP0EYI6sKBa/AKuEeMIAHG+YKXfplGfKjzKWvONEWxBL6lY aKjbzLXngMjQYNIq56xY =nkmk -----END PGP SIGNATURE----- --g7w8+K/95kPelPD2--