From owner-dev-commits-doc-all@freebsd.org Fri Mar 12 12:49:51 2021 Return-Path: Delivered-To: dev-commits-doc-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7A0305785CF for ; Fri, 12 Mar 2021 12:49:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DxlyR2jfvz3nTY; Fri, 12 Mar 2021 12:49:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4F959180A0; Fri, 12 Mar 2021 12:49:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 12CCnpXS071072; Fri, 12 Mar 2021 12:49:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 12CCnpv1071071; Fri, 12 Mar 2021 12:49:51 GMT (envelope-from git) Date: Fri, 12 Mar 2021 12:49:51 GMT Message-Id: <202103121249.12CCnpv1071071@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Fernando Apesteguía Subject: git: bf79ecf9cf - main - [phb:security] Fix vuln.xml testing procedure MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe Auto-Submitted: auto-generated X-BeenThere: dev-commits-doc-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the doc repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2021 12:49:51 -0000 The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/doc/commit/?id=bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe commit bf79ecf9cf9ebb19587ac2c40f1cb4c9fab77fbe Author: Fernando Apesteguía AuthorDate: 2021-03-11 14:47:12 +0000 Commit: Fernando Apesteguía CommitDate: 2021-03-12 12:45:48 +0000 [phb:security] Fix vuln.xml testing procedure Summary: In [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562203]] and [[https://svnweb.freebsd.org/ports?view=revision&revision=562203|r562204]] the vuln.xml file was splitted by year. As stated in the commit message, `pkg(8) audit` does not support entities and hence, we need to use the vuln-flat.xml file to test changes to the port. Test Plan: * Try something like this: ``` $ pkg audit -f ./vuln.xml gitea-1.13.4 pkg: Syntax error while parsing vulnxml pkg: cannot process vulnxml ``` and then: ``` $ pkg audit -f ./vuln-flat.xml gitea-1.13.4 0 problem(s) in 0 installed package(s) found. ``` After the patch: * `igor` clean * The documentation is rendered properly. Reviewers: 0mp, gbe Differential Revision: https://reviews.freebsd.org/D29219 --- .../content/en/books/porters-handbook/security/chapter.adoc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/documentation/content/en/books/porters-handbook/security/chapter.adoc b/documentation/content/en/books/porters-handbook/security/chapter.adoc index bdb03952e3..3a3d5b9b26 100644 --- a/documentation/content/en/books/porters-handbook/security/chapter.adoc +++ b/documentation/content/en/books/porters-handbook/security/chapter.adoc @@ -198,6 +198,14 @@ Verify its syntax and formatting: % make validate .... +The previous command generates the [.filename]#vuln-flat.xml# file. It can also +be generated with: + +[source,bash] +.... +% make vuln-flat.xml +.... + [NOTE] ==== At least one of these packages needs to be installed: package:textproc/libxml2[], package:textproc/jade[]. @@ -207,7 +215,7 @@ Verify that the `` section of the entry will match the correct package [source,bash] .... -% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 +% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 .... Make sure that the entry produces no spurious matches in the output. @@ -216,7 +224,7 @@ Now check whether the right package versions are matched by the entry: [source,bash] .... -% pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 dropbear-2013.59 +% pkg audit -f ${PORTSDIR}/security/vuxml/vuln-flat.xml dropbear-2013.58 dropbear-2013.59 dropbear-2012.58 is vulnerable: dropbear -- exposure of sensitive information, DoS CVE: CVE-2013-4434