Date: Fri, 03 Jul 2015 14:36:05 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: David Wolfskill <david@catwhisker.org>, freebsd-ports@FreeBSD.org Subject: Re: Please help un-confuse me about vuxml Message-ID: <55968FC5.5010503@FreeBSD.org> In-Reply-To: <20150703130103.GM1472@albert.catwhisker.org> References: <20150703130103.GM1472@albert.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3X7c0nWuvFbqMleCnvTNGGnaCei1apn9m Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015/07/03 14:01, David Wolfskill wrote: > And that combination of things catalyzed this note. >=20 > Here's what I'm seeing: > - There is a claim that the port to which I was trying to update was > "vulnerable" per vuxml. vuxml currently states that netpbm versions /less than/ 10.35.96 are vulnerable, and has done since about 48h ago. Given that the latest available version of netpbm is now 10.35.96 (committed at right about the same time as the vuxml update) you should be able to upgrade to that without problems. No idea why portmaster is getting this wrong. > - The vuxml entry effectively required human intervention to update > the port. > > - The most recent update to the port itself claimed that it had a > fix to address said vulnerability. (This gives one reason to > wonder why *this* version of the port had a vuxml entry, then.) This is what the vuxml says: <package> <name>netpbm</name> <range><lt>10.35.96</lt></range> </package> Which means that 10.35.95 or anything earlier is vulnerable, but 10.35.96 and above is not. > - I had no feasible way to have a clue about any of this until the > artificial failure disrupted the usual update process. For a second opinion on what vulnerabilities you may have, try 'pkg audit -F' (which will work just fine no matter if you're installing pre-compiled pkgs or building your own from ports). > - As far as I can tell, there was no value in the existence of the vuxm= l > entry for this port under these circumstances. Rather, it was merely= > annoying and disruptive, for no gain whatsoever. There wasn't even a= n > UPDATING entry to warn a person about what was going on. There's no requirement that a fixed version be available from ports before vuxml gets updated. Quite the opposite in fact. Admins should be informed if they are running vulnerable software so they can take some sort of ameliorative action even if the official fix is not yet published. Why would you expect an UPDATING entry here? Documenting every vulnerability in the ports isn't what UPDATING is for. Only if the way you would need to fix the vulnerability involved doing more than a simple upgrade would that be legitimate UPDATING territory. > So... what am I missing? How is a vuxml entry for ports/graphics/netpb= m > @r391058 that claims it's vulnerable per CVE-2015-3885 useful or > helpful? A vuxml entry in general tells you what is vulnerable and gives you the chance to do something about it -- even if what you do is to consider the nature of the vulnerability and decide that it's an acceptable risk in your environment and so simply ignore it -- rather than the alternative of discovering there was a vulnerability because your machine has now been compromised... Another response (for the sufficiently paranoid) might have been to delete the vulnerable package and do without it until the fix was availab= le. Although I have no idea why that particular version of netpbm was being flagged as vulnerable for you. Cheers, Matthew --3X7c0nWuvFbqMleCnvTNGGnaCei1apn9m Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJVlo/NXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnvWEQAIc4WyRfxMJQc9oXPJdUNzHG sTz+7A+gHfmqriYXPSzVyCwev7Og7BNazSdvwjlnz1zh4Y7FS7q5jx8NYqesW1wy l23tZ8E4AQ3LUpT/vrVHvPFQZQRZVkXWoN4JjWEPqTdYaOs+WwtED+TJh59rTeUR DitdmZQ1mmEh61CYq+Wt/t7U8sZXIx8IDhGj/Qudw4RkKpgpmdQaokEUaG5FL3gK +6D1A1haSp4xZlgXXXqz7nXM8pqzgm6ZcmBmwjqjwEv8UiJIQGgVDYkPz+pJxt8U BOM9O1KYb1mbeASysg7wXO5R6wB8eUt3d6LM4EhWJoKpRwvR8m7AhZ0Qm6ZiiRRZ H7unf+m60er7fDA85YOxY1ZDptPqJ/QLU5tM2XizBKLzhKQG6HI8XxFD+QG5cK13 5ys4zOxqId2PawVDsp1rwG6fLpc0o5TUFTp9ukadKFlGpZhX0oJTS3ez2MQNf3hb ye2Fke4+/gQIYp3z99pS2bkSso0gx8CB5rBpINdfm1nsbYJWls4Nokr+oYufJPCT RZtNtkSSKqsqdNYUcbK87Pc8JqbaFh44lrS8YOyjzewD4QAvUr2GAwcuFhBT5d9B KNL2AYyf4Z7k+o/lyKozZ6fjxYTteJXHmSyVZKXBG2c/QkzzdBBHmnDX1JzJ9RUN D4apd3rwx/zgJ/lchDXG =j11y -----END PGP SIGNATURE----- --3X7c0nWuvFbqMleCnvTNGGnaCei1apn9m--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55968FC5.5010503>