From owner-freebsd-ports@FreeBSD.ORG  Mon Dec 13 01:41:23 2010
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 82484106566B
	for <freebsd-ports@freebsd.org>; Mon, 13 Dec 2010 01:41:23 +0000 (UTC)
	(envelope-from matthias.andree@gmx.de)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22])
	by mx1.freebsd.org (Postfix) with SMTP id E51108FC0C
	for <freebsd-ports@freebsd.org>; Mon, 13 Dec 2010 01:41:22 +0000 (UTC)
Received: (qmail invoked by alias); 13 Dec 2010 01:41:21 -0000
Received: from f055053093.adsl.alicedsl.de (EHLO baloo.cs.uni-paderborn.de)
	[78.55.53.93]
	by mail.gmx.net (mp040) with SMTP; 13 Dec 2010 02:41:21 +0100
X-Authenticated: #428038
X-Provags-ID: V01U2FsdGVkX1+J7DErVPmJFCrc5LM4HW4Rh07HL7Pa7HTpQw7wj2
	Z5zlasAWyuyfUn
Received: from [127.0.0.1] by baloo.cs.uni-paderborn.de with esmtp (Exim 4.70)
	(envelope-from <matthias.andree@gmx.de>) id LDCFCU-0004RW-7N
	for freebsd-ports@freebsd.org; Mon, 13 Dec 2010 02:41:18 +0100
Message-ID: <4D0579BE.3000502@gmx.de>
Date: Mon, 13 Dec 2010 02:41:18 +0100
From: Matthias Andree <matthias.andree@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de;
	rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: freebsd-ports@freebsd.org
References: <AANLkTi=3C7GtzZZU8oOEeiXH_R_1CETN6tsvmTgTgvR+@mail.gmail.com>
In-Reply-To: <AANLkTi=3C7GtzZZU8oOEeiXH_R_1CETN6tsvmTgTgvR+@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Subject: Re: Security updates for packages?
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2010 01:41:23 -0000

Am 12.12.2010 21:28, schrieb Kevin Kreamer:
> Hi,
> 
> Having not used FreeBSD for several years, I did a fresh install yesterday
> of 8.1-RELEASE, and then used pkg_add -r to install several packages.  I
> then came across portaudit, ran it, and it indicated that I had three
> vulnerable packages (git, ruby, and sudo). Looking at
> http://www.vuxml.org/freebsd/, it appears that these were reported in July,
> August, and September respectively.
> 
> Basically, I would think a freshly installed system would not have security
> vulnerabilities from months prior.  Is that an erroneous assumption on my
> part, am I just misunderstanding something, or do I have something
> misconfigured?  Do only ports get security updates, and not packages? Or is
> this related to the fact that I picked RELEASE, versus CURRENT or STABLE?

I'd advise to use portsnap to get an up to date ports tree (if you haven't used
it, run "portsnap fetch extract" for the first time, and every time you feel
like updating, you run "portsnap fetch update").

I'd also advise to install portmaster and upgrade your vulnerable ports with
that, i. e.:

portsnap fetch update    # or extract if you're bootstrapping
cd /usr/ports/ports-mgmt/portmaster
make install clean       # as root or toor or under sudo
less /usr/src/UPDATING   # check if there are relevant entries for your ports
portmaster sudo git ruby

That's it.   For details, see the portsnap and portmaster manuals.

HTH

-- 
Matthias Andree