From owner-freebsd-questions@freebsd.org Thu Sep 15 10:48:57 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19CDFBD855A for ; Thu, 15 Sep 2016 10:48:57 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BAF21B80 for ; Thu, 15 Sep 2016 10:48:56 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 3EE8B1542 for ; Thu, 15 Sep 2016 10:48:48 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/3EE8B1542; dkim=none; dkim-atps=neutral Subject: Re: pkg audit and port upgrades To: freebsd-questions@freebsd.org References: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net> From: Matthew Seaman Message-ID: Date: Thu, 15 Sep 2016 11:48:41 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="DfeBimuwMQ6A6EFsLRAh2BF7Tw7Ww3VVp" X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2016 10:48:57 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DfeBimuwMQ6A6EFsLRAh2BF7Tw7Ww3VVp Content-Type: multipart/mixed; boundary="mQojCNCukBJgnec5SjBeJUUjoEXneUOBN"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: pkg audit and port upgrades References: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net> In-Reply-To: <7c6f67b1-422d-bdd7-18aa-7aac6da13e90@micite.net> --mQojCNCukBJgnec5SjBeJUUjoEXneUOBN Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 15/09/2016 10:58, Roland van Laar via freebsd-questions wrote: > My question: How do I know if a vulnerable port has had an update? >=20 > I get daily emails from pkg audit telling me about vulnerabilities in m= y > ports. > Today it was curl, but the latest curl hasn't yet had an update. >=20 > I update the ports tree and rebuild my ports. > Only to notice during the build that it stops the build because the por= t > is still vulnerable. >=20 > =3D> Please update your ports tree and try again. > =3D> Note: Vulnerable ports are marked as such even if there is no upda= te > available. > =3D> If you wish to ignore this vulnerability rebuild with 'make > DISABLE_VULNERABILITIES=3Dyes' > *** Error code 1 >=20 > Is there a way to know before I build my ports to know if there is a > vulnerability? Yeah -- it's relatively easy to see where there are updates available for existing and vulnerable packages. You just need to calculate the intesection between two lists: 1) All of the packages installed on your system with known vulnerabilities, generated by eg. pkg audit -q 2) All of the packages on your system with available updates generated by eg. pkg version -vRL=3D The 'R' option means 'use the repository catalogue' -- if you're going to be building locally from ports you might want to substitute 'I' (use the ports INDEX -- but be sure this is up to date) or 'P' (use the ports tree directly -- this is accurate, but slow.) Working out if the latest available version of a package is still vulnerable -- that's another story. pkg-audit(8) doesn't accept a package name + version to test if that particular version is vulnerable. That would make a good addition to its functionality. What's left? You can check the database pkg-audit(8) uses, which can be found in /var/db/pkg/vuln.xml. Not that XML is particularly friendly for traditional shell scripting. Given there's usually only a few vulnerable packages on a system at any one time, manually comparing against the versions given there might be feasible. Or use the rendered output from https://vuxml.freebsd.org/freebsd/index.html Cheers, Matthew --mQojCNCukBJgnec5SjBeJUUjoEXneUOBN-- --DfeBimuwMQ6A6EFsLRAh2BF7Tw7Ww3VVp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJX2nyQXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATd3MP/AuV+mg0djofQ3fxdZlJfYNj OXrxeR9nlpA2Norx64elKB7GDidXC1pBAAwtG674qmwHAOem02pS9AhqFyqGRNni t7msR5caLFHu0HpJYpX/Pv15ImpkZr7cEHjywJtgparCssdTpejnpCuwOnc+ZGIa 8X4/TpVRwK6D3RvLUynxrMhh6Ua0Bqs0+GSVsfye+OY7ofsKCY/Bej4pUw1fXLAc FnsqWwMuuwFutoa8iP0U6Fq9zHuhx336tm4/e5v1mp/Ht45uRBnixrD1NDaW5cfj P9Fc2a+tBHA4RBMBTdICAgM0ivxWBLjmm9ps5tjsONdvubq7fvMRkHbKovSYohK1 6KY7swXuFbeFN542tMIevDTGTdkgiO0ex1ISpuhTIduSRiglLJKDI5AW0/oFMeE9 KyqvPqThRAybRiF9e2zfppBT8rcnbK4WyWLwK/+fKYre4pJig0l3f2Y+GgCcVHHN ylrJmpBfGUSycrOuUvCbLRblSIcLPbY/020arc9FusR2JtdKdzamGIMQpI8nn5tq f9/5J2zHBuv3Ka69eRXkOkyevnE+LEzXwYSTM3gB9bljqOKBBDOolos8V/jPF+mO ld+RzAZ3jlbH8xE6KmrZ9wsT+Plponpkh4g3xjtxHwM3b6ci1iLBedlpSkx7DWTS +RJz1O1vGzupYHrohUYT =NHQw -----END PGP SIGNATURE----- --DfeBimuwMQ6A6EFsLRAh2BF7Tw7Ww3VVp--