From owner-freebsd-current@FreeBSD.ORG Mon Oct 11 16:27:16 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 623BD16A4CE for ; Mon, 11 Oct 2004 16:27:16 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7B3E43D39 for ; Mon, 11 Oct 2004 16:27:15 +0000 (GMT) (envelope-from nectar@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 3B56154888; Mon, 11 Oct 2004 11:27:15 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 65086-04; Mon, 11 Oct 2004 11:27:03 -0500 (CDT) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id B9DD354846; Mon, 11 Oct 2004 11:27:03 -0500 (CDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by lum.celabo.org (Postfix) with ESMTP id 0766E43F647; Mon, 11 Oct 2004 10:57:22 -0500 (CDT) In-Reply-To: <4169A79B.7090009@alumni.rice.edu> References: <20041010204308.GA29900@lb.tenfour> <4169A79B.7090009@alumni.rice.edu> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <3C6639CE-1B9E-11D9-BA01-000A95BC6FAE@FreeBSD.org> Content-Transfer-Encoding: 7bit From: Jacques Vidrine Date: Mon, 11 Oct 2004 10:57:21 -0500 To: noackjr@alumni.rice.edu X-Mailer: Apple Mail (2.619) cc: FreeBSD Current cc: Dick Davies Subject: Re: ports freeze and portaudit alerts X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Oct 2004 16:27:16 -0000 On Oct 10, 2004, at 4:20 PM, Jon Noack wrote: > On 10/10/04 15:43, Dick Davies wrote: >> But I'm a little alarmed by the pre 5.3 release ports freeze - >> portaudit has >> flagged an awful lot of packages as having holes and refused to >> install them. >> Off the top of my head : mozilla, cups (and therefore most of kde) and >> firefox/bird. Shouldn't serious bugs (like the JPEG vuln >> in firefox for example) to override the freeze? > > The Mozilla/Firefox ports have been updated with patches to resolve > the security issues. See the latest commits for more info: > http://www.freshports.org/www/mozilla > http://www.freshports.org/www/firefox > > It seems the real issue for Mozilla/Firefox is that the VuXML document > was not updated to reflect the patches being applied to the older > versions (see http://www.vuxml.org/freebsd/index.html). Usually the > versioning for the VuXML document is done with the assumption that > issues will be resolved by updating to the latest version available > from the vendor. Under a ports freeze this assumption is not correct. > I've CC'ed nectar@ for this reason. Once this document is updated > then portaudit will no longer flag them. I'm afraid your assumption is not correct, Jon. Some of the Mozilla etc vulnerabilities described in the VuXML document have been fixed by back-porting the fixes, but not all of them. The contents of the VuXML document are correct in this case, AFAIK. I supplied the fixes for the most critical issues, and those were applied by Joe. I'm afraid I did not/do not have time to back port and test the scripting fixes as well. It was my recommendation that the ports be upgraded to the latest release before 5.3, but Joe reports that the latest release of Mozilla etc causes build problems in other dependent ports. (This is why I went through the trouble of back-porting the most critical fixes.) Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org