Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Oct 2014 12:30:43 +0000 (UTC)
From:      Alex Kozlov <ak@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r45838 - head/en_US.ISO8859-1/books/porters-handbook/security
Message-ID:  <201410161230.s9GCUhSN001889@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ak (ports committer)
Date: Thu Oct 16 12:30:42 2014
New Revision: 45838
URL: https://svnweb.freebsd.org/changeset/doc/45838

Log:
  - Document modern way to work with vulnerability database
  - Do some rewording, remove "you" and "your" where possible (special thanks to wblock)
  
  Reviewed by:	mat, wblock
  Approved by:	mat, wblock
  
  Differential Revision:	https://reviews.freebsd.org/D941

Modified:
  head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml	Thu Oct 16 09:02:51 2014	(r45837)
+++ head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml	Thu Oct 16 12:30:42 2014	(r45838)
@@ -114,16 +114,14 @@
 	also monitor it for issues requiring their
 	intervention.</para>
 
-      <!-- XXX: Too much "you" in there -->
-      <para>If you have committer rights you can update the VuXML
-	database by yourself.  So you will both help the Security
-	Officer Team and deliver the crucial information to the
-	community earlier.  However, if you are not a committer, or
-	you believe you have found an exceptionally severe
-	vulnerability please do not hesitate to contact the Security
-	Officer Team directly as described on the
-	<link xlink:href="http://www.freebsd.org/security/#how">&os;
-	  Security Information</link> page.</para>
+      <para>Committers can update the <acronym>VuXML</acronym>
+	database themselves, assisting the Security Officer Team
+	and delivering crucial information to the community more
+	quickly.  Those who are not committers or have discovered
+	an exceptionally severe vulnerability should not hesitate
+	to contact the Security Officer Team directly, as described
+	on the <link xlink:href="http://www.freebsd.org/security/#how">;
+	  &os; Security Information</link> page.</para>
 
       <para>The VuXML database is an <acronym>XML</acronym> document.
 	Its source file <filename>vuln.xml</filename> is kept right
@@ -412,38 +410,19 @@
       <title>Testing Changes to the VuXML Database</title>
 
       <para>This example describes a new entry for a
-	vulnerability in the package <literal>clamav</literal> that
-	has been fixed in version <literal>0.65_7</literal>.</para>
+	vulnerability in the package <literal>dropbear</literal> that
+	has been fixed in version <literal>dropbear-2013.59</literal>.</para>
 
       <para>As a prerequisite,
-	<emphasis>install</emphasis> fresh versions of the ports
-	<package role="port">ports-mgmt/portaudit</package>,
-	<package role="port">ports-mgmt/portaudit-db</package>, and
-	<package role="port">security/vuxml</package>.</para>
-
-      <note>
-	<para>The user running <command>packaudit</command> must have
-	  permission to write to its <filename>DATABASEDIR</filename>,
-	  typically <filename>/var/db/portaudit</filename>.</para>
-
-	<para>To use a different directory, set the
-	  <varname>DATABASEDIR</varname> environment variable to a
-	  different location.</para>
-
-	<para>If working in a directory other than
-	  <filename>${PORTSDIR}/security/vuxml</filename>, set the
-	  <varname>VUXMLDIR</varname> environment variable to the
-	  directory where <filename>vuln.xml</filename> is
-	  located.</para>
-      </note>
+	install a fresh version of
+	<package role="port">security/vuxml</package> port.</para>
 
       <para>First, check whether there already is an entry for this
 	vulnerability.  If there were such an entry, it would match
 	the previous version of the package,
-	<literal>0.65_6</literal>:</para>
+	<literal>2013.58</literal>:</para>
 
-      <screen>&prompt.user; <userinput>packaudit</userinput>
-&prompt.user; <userinput>portaudit clamav-0.65_6</userinput></screen>
+      <screen>&prompt.user; <userinput>pkg audit dropbear-2013.58</userinput></screen>
 
       <para>If there is none found, add a
 	new entry for this vulnerability.</para>
@@ -461,21 +440,10 @@
 	  <package role="port">textproc/jade</package>.</para>
       </note>
 
-      <para>Now rebuild the <command>portaudit</command> database from
-	the VuXML file:</para>
-
-      <screen>&prompt.user; <userinput>packaudit</userinput></screen>
-
-      <para>To verify that the <literal>&lt;affected&gt;</literal>
-	section of the entry will match the correct package(s), issue this
-	command:</para>
+      <para>Verify that the <literal>&lt;affected&gt;</literal>
+	section of the entry will match the correct packages:</para>
 
-      <screen>&prompt.user; <userinput>portaudit -f /usr/ports/INDEX -r <replaceable>uuid</replaceable></userinput></screen>
-
-      <note>
-	<para>Please refer to &man.portaudit.1; for better
-	  understanding of the command syntax.</para>
-      </note>
+      <screen>&prompt.user; <userinput>pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58</userinput></screen>
 
       <para>Make sure that the entry produces no spurious matches in
 	the output.</para>
@@ -483,22 +451,18 @@
       <para>Now check whether the right package versions are matched
 	by the entry:</para>
 
-      <screen>&prompt.user; <userinput>portaudit clamav-0.65_6 clamav-0.65_7</userinput>
-Affected package: clamav-0.65_6 (matched by clamav&lt;0.65_7)
-Type of problem: clamav remote denial-of-service.
-Reference: &lt;http://www.freebsd.org/ports/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html&gt;
+      <screen>&prompt.user; <userinput>pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-201
+3.58 dropbear-2013.59</userinput>
+dropbear-2012.58 is vulnerable:
+dropbear -- exposure of sensitive information, DoS
+CVE: CVE-2013-4434
+CVE: CVE-2013-4421
+WWW: http://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html
 
-1 problem(s) found.</screen>
+1 problem(s) in the installed packages found.</screen>
 
       <para>The former version matches while the latter one
 	does not.</para>
-
-      <para>Finally, verify whether the web page generated from the
-	VuXML database looks like expected:</para>
-
-      <screen>&prompt.user; <userinput>mkdir -p ~/public_html/portaudit</userinput>
-&prompt.user; <userinput>packaudit</userinput>
-&prompt.user; <userinput>lynx ~/public_html/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html</userinput></screen>
     </sect2>
   </sect1>
 </chapter>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410161230.s9GCUhSN001889>