From owner-freebsd-stable@FreeBSD.ORG Wed Dec 22 14:47:01 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6428B16A4CE for ; Wed, 22 Dec 2004 14:47:01 +0000 (GMT) Received: from freedombi.com (okemoscommunitychurch.org [207.179.98.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id E19A843D53 for ; Wed, 22 Dec 2004 14:47:00 +0000 (GMT) (envelope-from charles@idealso.com) Received: by freedombi.com (Postfix, from userid 1000) id E235E728B3; Wed, 22 Dec 2004 09:46:59 -0500 (EST) Received: from freedombi.com (localhost [192.168.10.108]) by freedombi.com (Postfix) with ESMTP id 2F833728AE; Wed, 22 Dec 2004 09:46:58 -0500 (EST) Received: from 24.11.146.21 (SquirrelMail authenticated user charles); by freedombi.com with HTTP; Wed, 22 Dec 2004 09:46:58 -0500 (EST) Message-ID: <54550.24.11.146.21.1103726818.squirrel@24.11.146.21> In-Reply-To: <200412220200.iBM20jV1022891@drugs.dv.isc.org> References: Your message of "Wed, 22 Dec 2004 09:52:01 +0800." <200412220952.01107.distro.watch@msa.hinet.net> <200412220200.iBM20jV1022891@drugs.dv.isc.org> Date: Wed, 22 Dec 2004 09:46:58 -0500 (EST) From: "Charles Ulrich" To: "Mark Andrews" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on freedombi.com X-Spam-Level: X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no version=2.63 cc: stable@freebsd.org cc: Ladislav Bodnar Subject: Re: PHP vulnerability and portupgrade X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 14:47:01 -0000 Mark Andrews said: >> Thanks a lot for your reply. If I understand things correctly, I need to >> maintain two cvsup files - one that tracks security issues in the base >> FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports >> collection (tag=. , ports-all). Then every time I receive a FreeBSD >> security advisory I run cvsup on the former, and every time portaudit tells >> me about a new security issue in the ports collection, I run cvsup on the >> latter, then use portupgrade to upgrade vulnerable ports. >> >> Is this correct? > > Essentually. When you install portaudit it will be run as > part of the daily periodic jobs provided the FreeBSD version > is new enough (which 5.3 is). Portaudit gets added to the daily periodic scripts on 4.10 also. And contrary to name, portaudit will also watch for vulnerabilities in the base system. For example, the cvs issue from awhile back showed up in my portaudit results. Thus, it's not strictly necessary to always keep your base system source up to date as long as your system is stable and you're watching the portaudit results. -- Charles Ulrich Ideal Solution, LLC - http://www.idealso.com