Date: Thu, 16 Oct 2014 12:30:43 +0000 (UTC) From: Alex Kozlov <ak@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45838 - head/en_US.ISO8859-1/books/porters-handbook/security Message-ID: <201410161230.s9GCUhSN001889@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ak (ports committer) Date: Thu Oct 16 12:30:42 2014 New Revision: 45838 URL: https://svnweb.freebsd.org/changeset/doc/45838 Log: - Document modern way to work with vulnerability database - Do some rewording, remove "you" and "your" where possible (special thanks to wblock) Reviewed by: mat, wblock Approved by: mat, wblock Differential Revision: https://reviews.freebsd.org/D941 Modified: head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Thu Oct 16 09:02:51 2014 (r45837) +++ head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Thu Oct 16 12:30:42 2014 (r45838) @@ -114,16 +114,14 @@ also monitor it for issues requiring their intervention.</para> - <!-- XXX: Too much "you" in there --> - <para>If you have committer rights you can update the VuXML - database by yourself. So you will both help the Security - Officer Team and deliver the crucial information to the - community earlier. However, if you are not a committer, or - you believe you have found an exceptionally severe - vulnerability please do not hesitate to contact the Security - Officer Team directly as described on the - <link xlink:href="http://www.freebsd.org/security/#how">&os; - Security Information</link> page.</para> + <para>Committers can update the <acronym>VuXML</acronym> + database themselves, assisting the Security Officer Team + and delivering crucial information to the community more + quickly. Those who are not committers or have discovered + an exceptionally severe vulnerability should not hesitate + to contact the Security Officer Team directly, as described + on the <link xlink:href="http://www.freebsd.org/security/#how">; + &os; Security Information</link> page.</para> <para>The VuXML database is an <acronym>XML</acronym> document. Its source file <filename>vuln.xml</filename> is kept right @@ -412,38 +410,19 @@ <title>Testing Changes to the VuXML Database</title> <para>This example describes a new entry for a - vulnerability in the package <literal>clamav</literal> that - has been fixed in version <literal>0.65_7</literal>.</para> + vulnerability in the package <literal>dropbear</literal> that + has been fixed in version <literal>dropbear-2013.59</literal>.</para> <para>As a prerequisite, - <emphasis>install</emphasis> fresh versions of the ports - <package role="port">ports-mgmt/portaudit</package>, - <package role="port">ports-mgmt/portaudit-db</package>, and - <package role="port">security/vuxml</package>.</para> - - <note> - <para>The user running <command>packaudit</command> must have - permission to write to its <filename>DATABASEDIR</filename>, - typically <filename>/var/db/portaudit</filename>.</para> - - <para>To use a different directory, set the - <varname>DATABASEDIR</varname> environment variable to a - different location.</para> - - <para>If working in a directory other than - <filename>${PORTSDIR}/security/vuxml</filename>, set the - <varname>VUXMLDIR</varname> environment variable to the - directory where <filename>vuln.xml</filename> is - located.</para> - </note> + install a fresh version of + <package role="port">security/vuxml</package> port.</para> <para>First, check whether there already is an entry for this vulnerability. If there were such an entry, it would match the previous version of the package, - <literal>0.65_6</literal>:</para> + <literal>2013.58</literal>:</para> - <screen>&prompt.user; <userinput>packaudit</userinput> -&prompt.user; <userinput>portaudit clamav-0.65_6</userinput></screen> + <screen>&prompt.user; <userinput>pkg audit dropbear-2013.58</userinput></screen> <para>If there is none found, add a new entry for this vulnerability.</para> @@ -461,21 +440,10 @@ <package role="port">textproc/jade</package>.</para> </note> - <para>Now rebuild the <command>portaudit</command> database from - the VuXML file:</para> - - <screen>&prompt.user; <userinput>packaudit</userinput></screen> - - <para>To verify that the <literal><affected></literal> - section of the entry will match the correct package(s), issue this - command:</para> + <para>Verify that the <literal><affected></literal> + section of the entry will match the correct packages:</para> - <screen>&prompt.user; <userinput>portaudit -f /usr/ports/INDEX -r <replaceable>uuid</replaceable></userinput></screen> - - <note> - <para>Please refer to &man.portaudit.1; for better - understanding of the command syntax.</para> - </note> + <screen>&prompt.user; <userinput>pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58</userinput></screen> <para>Make sure that the entry produces no spurious matches in the output.</para> @@ -483,22 +451,18 @@ <para>Now check whether the right package versions are matched by the entry:</para> - <screen>&prompt.user; <userinput>portaudit clamav-0.65_6 clamav-0.65_7</userinput> -Affected package: clamav-0.65_6 (matched by clamav<0.65_7) -Type of problem: clamav remote denial-of-service. -Reference: <http://www.freebsd.org/ports/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html> + <screen>&prompt.user; <userinput>pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-201 +3.58 dropbear-2013.59</userinput> +dropbear-2012.58 is vulnerable: +dropbear -- exposure of sensitive information, DoS +CVE: CVE-2013-4434 +CVE: CVE-2013-4421 +WWW: http://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html -1 problem(s) found.</screen> +1 problem(s) in the installed packages found.</screen> <para>The former version matches while the latter one does not.</para> - - <para>Finally, verify whether the web page generated from the - VuXML database looks like expected:</para> - - <screen>&prompt.user; <userinput>mkdir -p ~/public_html/portaudit</userinput> -&prompt.user; <userinput>packaudit</userinput> -&prompt.user; <userinput>lynx ~/public_html/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html</userinput></screen> </sect2> </sect1> </chapter>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410161230.s9GCUhSN001889>