From owner-freebsd-security@FreeBSD.ORG Sun Jun 13 09:16:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F30AF16A4CE; Sun, 13 Jun 2004 09:16:19 +0000 (GMT) Received: from fillmore.dyndns.org (port-212-202-50-15.dynamic.qsc.de [212.202.50.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F75943D1F; Sun, 13 Jun 2004 09:16:19 +0000 (GMT) (envelope-from eikemeier@fillmore-labs.com) Received: from [172.16.0.11] (helo=localhost) by fillmore.dyndns.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34 (FreeBSD)) id 1BZR5d-000GSr-6I; Sun, 13 Jun 2004 11:15:47 +0200 Date: Sun, 13 Jun 2004 11:15:47 +0200 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) To: FreeBSD ports From: Oliver Eikemeier Content-Transfer-Encoding: 7bit Message-Id: <41764F4F-BD1A-11D8-B633-00039312D914@fillmore-labs.com> User-Agent: KMail/1.5.9 cc: FreeBSD security Subject: FYI: new port security/portaudit-db X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: FreeBSD ports List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2004 09:16:20 -0000 Dear porters and port users, I've added a new port security/portaudit-db that complements security/portaudit for users that have a current ports tree and want to generate the portaudit database themselves, possibly distributing it over their local network. This will save you the traffic downloading information that is already on your local machine and avoid the lag that is currently associated with the mirroring process. Basically you just need to install security/portaudit-db and do `packaudit' every time after your ports tree has been updated. Try `portaudit -d', it should show the current date afterwards. This port also features a MOVED style file (database/portaudit.txt) where UUIDs for vulnerabilities can be allocated before they are researched thoroughly and moved to the VuXML database. When you fix a vulnerability in one of your ports, please add at least an entry to this file, so that this fact doesn't go unnoticed. Of course a full VuXML entry is preferred. I take this announcement as an opportunity to make a plea to all port maintainers: * please stick with *one* PKGNAMESUFFIX (possibly using a combined one like -sasl-client) * please *do not* change the structure of the packages version number according to included components. Lets take for example port `myport' with has optional components c1 and c2. This *should not* result in the following package names: port-v port-suf1-v+v1 port-suf2-v+v2 port-suf1-suf2-v+v1+v2 because I need 2^(number of components) entries to catch all possible combinations, for example the recent vulnerability in www/apache13-modssl would need 32 entries in the vulnerability database, which seems a little high. A net effect is that many combinations are not recognized, and users remain unprotected even though they assume the opposite. If you need to record the included components, please do this in the pkg-message, which is displayed with pkg_info -D. Again: * a port should *not* change its version numbering based on included components * restrain yourself to *one* suffix in the package name (and use a dash to seperate it from the main ports name) Thanks -Oliver