From owner-freebsd-stable@FreeBSD.ORG Wed Dec 22 01:52:00 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49EB816A4CE for ; Wed, 22 Dec 2004 01:52:00 +0000 (GMT) Received: from msr30.hinet.net (msr30.hinet.net [168.95.4.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D1FB43D3F for ; Wed, 22 Dec 2004 01:51:59 +0000 (GMT) (envelope-from distro.watch@msa.hinet.net) Received: from [192.168.0.128] (61-229-2-147.dynamic.hinet.net [61.229.2.147]) by msr30.hinet.net (8.9.3/8.9.3) with ESMTP id JAA21186 for ; Wed, 22 Dec 2004 09:51:57 +0800 (CST) From: Ladislav Bodnar Organization: DistroWatch.com To: stable@freebsd.org Date: Wed, 22 Dec 2004 09:52:01 +0800 User-Agent: KMail/1.7.1 References: <200412220106.iBM16JlF080958@drugs.dv.isc.org> In-Reply-To: <200412220106.iBM16JlF080958@drugs.dv.isc.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412220952.01107.distro.watch@msa.hinet.net> Subject: Re: PHP vulnerability and portupgrade X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 01:52:00 -0000 On Wednesday 22 December 2004 09:06, Mark Andrews wrote: > > Hello, > > > > Due to the recently discovered vulnerability in PHP versions older than > > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it > > is a good way to keep the ports collection up-to-date with respect to > > security issues. I ran cvsup on the security branch (tag=RELENG_5_3), > > then portsdb -Uu. However, portupgrade didn't find any ports that > > needed an upgrade. > > > > Am I doing something wrong or is portupgrade not the best tool to keep > > up with security advisories in ports? > > cvsup of ports does not use tag=RELENG_5_3. > > e.g. > *default host=cvsup.FreeBSD.org > *default base=/usr > *default prefix=/usr > *default release=cvs > *default delete use-rel-suffix > *default tag=. > ports-all > > Use portaudit to track security issues in ports. Thanks a lot for your reply. If I understand things correctly, I need to maintain two cvsup files - one that tracks security issues in the base FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports collection (tag=. , ports-all). Then every time I receive a FreeBSD security advisory I run cvsup on the former, and every time portaudit tells me about a new security issue in the ports collection, I run cvsup on the latter, then use portupgrade to upgrade vulnerable ports. Is this correct? I went through the security chapter of the FreeBSD handbook, but I found it disappointing that it doesn't explain how to keep a FreeBSD system up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg Lehey doesn't even mention the existence of portaudit. Thanks again :-)