Date: Wed, 22 Dec 2004 13:00:45 +1100 From: Mark Andrews <Mark_Andrews@isc.org> To: Ladislav Bodnar <distro.watch@msa.hinet.net> Cc: stable@freebsd.org Subject: Re: PHP vulnerability and portupgrade Message-ID: <200412220200.iBM20jV1022891@drugs.dv.isc.org> In-Reply-To: Your message of "Wed, 22 Dec 2004 09:52:01 %2B0800." <200412220952.01107.distro.watch@msa.hinet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wednesday 22 December 2004 09:06, Mark Andrews wrote: > > > Hello, > > > > > > Due to the recently discovered vulnerability in PHP versions older than > > > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it > > > is a good way to keep the ports collection up-to-date with respect to > > > security issues. I ran cvsup on the security branch (tag=RELENG_5_3), > > > then portsdb -Uu. However, portupgrade didn't find any ports that > > > needed an upgrade. > > > > > > Am I doing something wrong or is portupgrade not the best tool to keep > > > up with security advisories in ports? > > > > cvsup of ports does not use tag=RELENG_5_3. > > > > e.g. > > *default host=cvsup.FreeBSD.org > > *default base=/usr > > *default prefix=/usr > > *default release=cvs > > *default delete use-rel-suffix > > *default tag=. > > ports-all > > > > Use portaudit to track security issues in ports. > > Thanks a lot for your reply. If I understand things correctly, I need to > maintain two cvsup files - one that tracks security issues in the base > FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports > collection (tag=. , ports-all). Then every time I receive a FreeBSD > security advisory I run cvsup on the former, and every time portaudit tells > me about a new security issue in the ports collection, I run cvsup on the > latter, then use portupgrade to upgrade vulnerable ports. > > Is this correct? Essentually. When you install portaudit it will be run as part of the daily periodic jobs provided the FreeBSD version is new enough (which 5.3 is). How you treat each reported issue is up to you. Some do not have a fix yet. You need to decide if you can live with vulnerability or not. > I went through the security chapter of the FreeBSD handbook, but I found it > disappointing that it doesn't explain how to keep a FreeBSD system > up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg > Lehey doesn't even mention the existence of portaudit. > > Thanks again :-) > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412220200.iBM20jV1022891>