From owner-freebsd-questions@FreeBSD.ORG Thu Jan 20 14:14:14 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1405F16A4CE for ; Thu, 20 Jan 2005 14:14:14 +0000 (GMT) Received: from male.aldigital.co.uk (male.thebunker.net [213.129.64.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1710C43D46 for ; Thu, 20 Jan 2005 14:14:13 +0000 (GMT) (envelope-from matthew@thebunker.net) Received: from gravitas.thebunker.net (gateway.ash.thebunker.net [213.129.64.4]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by male.aldigital.co.uk (Postfix) with ESMTP id BD87997652; Thu, 20 Jan 2005 14:14:11 +0000 (GMT) Received: from gravitas.thebunker.net (localhost [127.0.0.1]) j0KEE3AU099280; Thu, 20 Jan 2005 14:14:03 GMT (envelope-from matthew@gravitas.thebunker.net) Received: (from matthew@localhost) by gravitas.thebunker.net (8.13.1/8.13.1/Submit) id j0KEE05F099279; Thu, 20 Jan 2005 14:14:00 GMT (envelope-from matthew) Date: Thu, 20 Jan 2005 14:14:00 +0000 From: Matthew Seaman To: Chris Hodgins Message-ID: <20050120141400.GA98085@gravitas.thebunker.net> Mail-Followup-To: Matthew Seaman , Chris Hodgins , freebsd-questions@freebsd.org References: <41EFA629.8010707@cis.strath.ac.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: <41EFA629.8010707@cis.strath.ac.uk> User-Agent: Mutt/1.5.6i cc: freebsd-questions@freebsd.org Subject: Re: pdflib for php X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 14:14:14 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 20, 2005 at 12:38:01PM +0000, Chris Hodgins wrote: > Thanos Tsouanas wrote: > >On Thu, Jan 20, 2005 at 12:11:04PM +0200, Cristi Tauber wrote: > > > >>=3D=3D=3D> pdflib-6.0.1 is forbidden:=20 > >>http://vuxml.freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html. > >> > >> Forbidden ? Why ? anyone ... > > > > > >Yes this one: just follow the link. (pretty obvious ;)) > > > >If you insist in installing the port, 'un' break it manually. > > > >HTH > > >=20 > Purely out of curiosity.. when a possible exploit such as this is > discovered in a port and a patch is provided, why is it not patched > immediately? I understand that when a vulnerability is discovered it is > important to look for similar bugs in the file and also the entire port. > Is this what takes the time or is it purely a maintainer finding the > time to update it? >=20 > Again this is just out of curiosity and not related to this port in > particular. Yes -- it's just waiting for the maintainer to provide an update. Most maintainers in this situation will send-pr(1) a fix within a day or so. The security team will generally prod (via e-mail) any port maintainer when they add a VuXML entry concerning their port -- unless it was the port maintainer that told them about the problem in the first place, which does happen occasionally. PRs applying updates to ports and marked 'Security' and/or CC'd to the security team tend to get committed PDQ, even during the middle of a ports freeze. Depending on the responsiveness of the maintainer and/or the severity of the vulnerability and/or availability of patches a port may either be marked 'FORBIDDEN' or pre-emptively patched without the maintainer's involvement, but those are both quite rare events. You can always override the vulnerability checking by setting 'DISABLE_VULNERABILITIES=3Dyes' in the environment. Often this makes sense to do, but only once you've read through the background material =66rom the VuXML document -- eg. the vulnerability may permit privilege escalation for local users, which would be bad ju-ju if you were running a public access shell server, but no biggie if it was on your personal desktop box that only you would ever use. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 8 Dane Court Manor School Rd PGP: http://www.infracaninophile.co.uk/pgpkey Tilmanstone Tel: +44 1304 617253 Kent, CT14 0JL UK --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iQCVAwUBQe+8qJr7OpndfbmCAQIM9AP/RrhwRaPLKU7K+O54S3a3bHjE1fHEApyc +Mo6IquKxfGcTLIS+77bm/r6aOdNfQ5WIRHPgm33bk+bHX2WTdG5+w8wYu4O72Ec ETPstNKjzmXMdB2PgbYMhy4v0GYqbhvFhke6RebOqgYt7soQf6Hw1otxeYKDHP1S TbpQu3KavXk= =kO6i -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--