From owner-freebsd-stable@FreeBSD.ORG  Wed Dec 22 02:00:49 2004
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B177F16A4CF
	for <stable@freebsd.org>; Wed, 22 Dec 2004 02:00:49 +0000 (GMT)
Received: from farside.isc.org (farside.isc.org [204.152.187.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8B74D43D31
	for <stable@freebsd.org>; Wed, 22 Dec 2004 02:00:49 +0000 (GMT)
	(envelope-from Mark_Andrews@isc.org)
Received: from drugs.dv.isc.org (localhost [IPv6:::1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by farside.isc.org (Postfix) with ESMTP id B8EAA677EF
	for <stable@freebsd.org>; Wed, 22 Dec 2004 02:00:48 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.13.1/8.13.1) with ESMTP id iBM20jV1022891;
	Wed, 22 Dec 2004 13:00:45 +1100 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200412220200.iBM20jV1022891@drugs.dv.isc.org>
To: Ladislav Bodnar <distro.watch@msa.hinet.net>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Wed, 22 Dec 2004 09:52:01 +0800."
             <200412220952.01107.distro.watch@msa.hinet.net> 
Date: Wed, 22 Dec 2004 13:00:45 +1100
Sender: Mark_Andrews@isc.org
cc: stable@freebsd.org
Subject: Re: PHP vulnerability and portupgrade 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Dec 2004 02:00:50 -0000


> On Wednesday 22 December 2004 09:06, Mark Andrews wrote:
> > > Hello,
> > >
> > > Due to the recently discovered vulnerability in PHP versions older than
> > > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it
> > > is a good way to keep the ports collection up-to-date with respect to
> > > security issues. I ran cvsup on the security branch (tag=RELENG_5_3),
> > > then portsdb -Uu. However, portupgrade didn't find any ports that
> > > needed an upgrade.
> > >
> > > Am I doing something wrong or is portupgrade not the best tool to keep
> > > up with security advisories in ports?
> >
> >  cvsup of ports does not use tag=RELENG_5_3.
> >
> >  e.g.
> >   *default  host=cvsup.FreeBSD.org
> >   *default  base=/usr
> >   *default  prefix=/usr
> >   *default  release=cvs
> >   *default  delete use-rel-suffix
> >   *default  tag=.
> >   ports-all
> >
> >  Use portaudit to track security issues in ports.
> 
> Thanks a lot for your reply. If I understand things correctly, I need to 
> maintain two cvsup files - one that tracks security issues in the base 
> FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports 
> collection (tag=. , ports-all). Then every time I receive a FreeBSD 
> security advisory I run cvsup on the former, and every time portaudit tells 
> me about a new security issue in the ports collection, I run cvsup on the 
> latter, then use portupgrade to upgrade vulnerable ports.
> 
> Is this correct?

	Essentually.  When you install portaudit it will be run as
	part of the daily periodic jobs provided the FreeBSD version
	is new enough (which 5.3 is).

	How you treat each reported issue is up to you.  Some do not
	have a fix yet.  You need to decide if you can live with
	vulnerability or not.
 
> I went through the security chapter of the FreeBSD handbook, but I found it 
> disappointing that it doesn't explain how to keep a FreeBSD system 
> up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg 
> Lehey doesn't even mention the existence of portaudit.
> 
> Thanks again :-)
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org