Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Dec 2004 09:52:01 +0800
From:      Ladislav Bodnar <distro.watch@msa.hinet.net>
To:        stable@freebsd.org
Subject:   Re: PHP vulnerability and portupgrade
Message-ID:  <200412220952.01107.distro.watch@msa.hinet.net>
In-Reply-To: <200412220106.iBM16JlF080958@drugs.dv.isc.org>
References:  <200412220106.iBM16JlF080958@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wednesday 22 December 2004 09:06, Mark Andrews wrote:
> > Hello,
> >
> > Due to the recently discovered vulnerability in PHP versions older than
> > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it
> > is a good way to keep the ports collection up-to-date with respect to
> > security issues. I ran cvsup on the security branch (tag=RELENG_5_3),
> > then portsdb -Uu. However, portupgrade didn't find any ports that
> > needed an upgrade.
> >
> > Am I doing something wrong or is portupgrade not the best tool to keep
> > up with security advisories in ports?
>
>  cvsup of ports does not use tag=RELENG_5_3.
>
>  e.g.
>   *default  host=cvsup.FreeBSD.org
>   *default  base=/usr
>   *default  prefix=/usr
>   *default  release=cvs
>   *default  delete use-rel-suffix
>   *default  tag=.
>   ports-all
>
>  Use portaudit to track security issues in ports.

Thanks a lot for your reply. If I understand things correctly, I need to 
maintain two cvsup files - one that tracks security issues in the base 
FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports 
collection (tag=. , ports-all). Then every time I receive a FreeBSD 
security advisory I run cvsup on the former, and every time portaudit tells 
me about a new security issue in the ports collection, I run cvsup on the 
latter, then use portupgrade to upgrade vulnerable ports.

Is this correct?

I went through the security chapter of the FreeBSD handbook, but I found it 
disappointing that it doesn't explain how to keep a FreeBSD system 
up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg 
Lehey doesn't even mention the existence of portaudit.

Thanks again :-)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412220952.01107.distro.watch>