Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 May 2005 09:58:17 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Robert S <robert.spam.me.senseless@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: portaudit: recommended packages can't be installed
Message-ID:  <20050521165817.GA19062@xor.obsecurity.org>
In-Reply-To: <7093dffb05052106296c487773@mail.gmail.com>
References:  <7093dffb05052106296c487773@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Sat, May 21, 2005 at 01:29:11PM +0000, Robert S wrote:
> 8I've just started playing around with FreeBSD.  One of my main
> priorities of an OS is ease of upgrading.  If I run portaudit, I get a
> list of insecure packages (here is an excerpt from the output):
> 
> Affected package: firefox-1.0.3,1
> Type of problem: mozilla -- code execution via javascript: IconURL
> vulnerability.
> Reference: <http://www.FreeBSD.org/ports/portaudit/eca6195a-c233-11d9-804c-02061b08fc24.html>;
> 
> Affected package: kdelibs-3.4.0_1
> Type of problem: kdelibs -- kimgio input validation errors.
> Reference: <http://www.FreeBSD.org/ports/portaudit/06404241-b306-11d9-a788-0001020eed82.html>;
> 
> 4 problem(s) in your installed packages found.
> 
> You are advised to update or deinstall the affected package(s) immediately.
> freebsd #
> 
> If I try to replace kdelibs with a binary package, or install it
> through ports (after doing a cvsup), I still get verion 3.4.0_1.
> 
> Are fixes not necessarily made available when security vulnerabilities
> are found?

Not instantly, of course..and in some cases they are not fixed for a
long time.  The third party software in the ports collection is
maintained to different standards depending on the project.  If you
have questions, you should contact those third party developers.

> Also -- is there a similar utility to portaudit and freebsd-update,
> that can be used on the base operating system (not through ports)?

freebsd update works on the base system.

Kris
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCj2ipWry0BWjoQKURAnmpAKD5a0g6LceUqGDsXzTaxR+rMyFJlwCcC0ze
ubYBEQHJYMGgD6YfAdjbFuo=
=fCnG
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050521165817.GA19062>