From owner-freebsd-ports@FreeBSD.ORG Sat Nov 24 23:13:30 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E446EC3C for ; Sat, 24 Nov 2012 23:13:30 +0000 (UTC) (envelope-from byshenknet@byshenk.net) Received: from portland1.byshenk.net (portland1.byshenk.net [69.168.54.16]) by mx1.freebsd.org (Postfix) with ESMTP id 9A5828FC08 for ; Sat, 24 Nov 2012 23:13:30 +0000 (UTC) Received: from portland1.byshenk.net (localhost [127.0.0.1]) by portland1.byshenk.net (8.14.5/8.14.5) with ESMTP id qAOMt7u1081222 for ; Sat, 24 Nov 2012 14:55:07 -0800 (PST) (envelope-from byshenknet@portland1.byshenk.net) Received: (from byshenknet@localhost) by portland1.byshenk.net (8.14.5/8.14.5/Submit) id qAOMt7tP081221 for freebsd-ports@freebsd.org; Sat, 24 Nov 2012 14:55:07 -0800 (PST) (envelope-from byshenknet) Date: Sat, 24 Nov 2012 14:55:07 -0800 From: Greg Byshenk To: freebsd-ports@freebsd.org Subject: Re: Opera vulnerability, marked forbidden instead of update? Message-ID: <20121124225507.GD12528@portland1.byshenk.net> References: <20121123092631.3b0aff2f0902e02098c273b4@alkumuna.eu> <50AF3B4B.9030704@freebsd.org> <20121123143735.90c91a7d81dc73c39764bcd8@alkumuna.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20121123143735.90c91a7d81dc73c39764bcd8@alkumuna.eu> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on portland1.byshenk.net X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2012 23:13:31 -0000 On Fri, 23 Nov 2012 09:00:59 +0000 Matthew Seaman wrote: > On 23/11/2012 08:26, Matthieu Volat wrote: > > I've noticed that www/opera was marked FORBIDDEN because of a security hole: > > http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head > > > > The opera software compagny advisory indeed mark this bug as high severity, > > and mention that there is an update to fix it. > > > > I am not familiar with the security process in ports, but would not it be > > better to update the version? Marking it FORBIDDEN do not do much for the > > userbase that does already have it installed. > > > > I've bumped the versions in the Makefile > > OPERA_VER?= 12.11 > > OPERA_BUILD?= 1661 > > and made a `make makesum reinstall`, there was no apparent problem. > > Marking a port 'FORBIDDEN' is a quick response measure that can be done > without having to worry about time consuming testing the of port and so > forth. It's an interim measure taken to ensure that users do not > unwittingly install software with known vulnerabilities. > > Yes, updating the port to a non-vulnerable version is the ideal > response, but that may not be possible to do straight away. You've > sketched out the first couple of steps a port maintainer would take, but > that 'there was no apparent problem' statement would need to be backed > up by some more rigorous testing before a maintainer would feel > confident in committing the update. Just a comment that, for any USERS who would like to take a chance with updating their Opera (rather than taking a chance running the vulnerable version), just modifying the Makefile as described above works to provide the update. I've updated www/opera and www/opera-linuxplugins, and my new Opera is running fine: About Opera Version information Version 12.11 Build 1661 Platform FreeBSD System amd64, 8.3-STABLE -- greg byshenk - gbyshenk@byshenk.net - Leiden, NL - Portland, OR USA