From owner-freebsd-stable@FreeBSD.ORG Wed Dec 22 02:00:49 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B177F16A4CF for ; Wed, 22 Dec 2004 02:00:49 +0000 (GMT) Received: from farside.isc.org (farside.isc.org [204.152.187.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B74D43D31 for ; Wed, 22 Dec 2004 02:00:49 +0000 (GMT) (envelope-from Mark_Andrews@isc.org) Received: from drugs.dv.isc.org (localhost [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by farside.isc.org (Postfix) with ESMTP id B8EAA677EF for ; Wed, 22 Dec 2004 02:00:48 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.13.1/8.13.1) with ESMTP id iBM20jV1022891; Wed, 22 Dec 2004 13:00:45 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200412220200.iBM20jV1022891@drugs.dv.isc.org> To: Ladislav Bodnar From: Mark Andrews In-reply-to: Your message of "Wed, 22 Dec 2004 09:52:01 +0800." <200412220952.01107.distro.watch@msa.hinet.net> Date: Wed, 22 Dec 2004 13:00:45 +1100 Sender: Mark_Andrews@isc.org cc: stable@freebsd.org Subject: Re: PHP vulnerability and portupgrade X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 02:00:50 -0000 > On Wednesday 22 December 2004 09:06, Mark Andrews wrote: > > > Hello, > > > > > > Due to the recently discovered vulnerability in PHP versions older than > > > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it > > > is a good way to keep the ports collection up-to-date with respect to > > > security issues. I ran cvsup on the security branch (tag=RELENG_5_3), > > > then portsdb -Uu. However, portupgrade didn't find any ports that > > > needed an upgrade. > > > > > > Am I doing something wrong or is portupgrade not the best tool to keep > > > up with security advisories in ports? > > > > cvsup of ports does not use tag=RELENG_5_3. > > > > e.g. > > *default host=cvsup.FreeBSD.org > > *default base=/usr > > *default prefix=/usr > > *default release=cvs > > *default delete use-rel-suffix > > *default tag=. > > ports-all > > > > Use portaudit to track security issues in ports. > > Thanks a lot for your reply. If I understand things correctly, I need to > maintain two cvsup files - one that tracks security issues in the base > FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports > collection (tag=. , ports-all). Then every time I receive a FreeBSD > security advisory I run cvsup on the former, and every time portaudit tells > me about a new security issue in the ports collection, I run cvsup on the > latter, then use portupgrade to upgrade vulnerable ports. > > Is this correct? Essentually. When you install portaudit it will be run as part of the daily periodic jobs provided the FreeBSD version is new enough (which 5.3 is). How you treat each reported issue is up to you. Some do not have a fix yet. You need to decide if you can live with vulnerability or not. > I went through the security chapter of the FreeBSD handbook, but I found it > disappointing that it doesn't explain how to keep a FreeBSD system > up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg > Lehey doesn't even mention the existence of portaudit. > > Thanks again :-) > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org