On Fri, Jul 25, 2014 at 5:45 AM, David Wolfskill <da...@catwhisker.org> wrote:
> /usr/ports is a working copy of head@r362876; during my daily portmaster > run to update all installed ports on my laptop, I see that libevent1 is > now replaced by libevent2. > > Apparently www/firefox had been linked against libevent, so portmaster > tries to update www/firefox (after having updated several other ports). > > That process terminates rather abrutly, however: > > ===>>> All >> firefox-30.0_1,1 (12/15) > 0;portmaster: All >> firefox-30.0_1,1 (12/15)^G > ===> Cleaning for firefox-30.0_2,1 > ===> firefox-30.0_2,1 has known vulnerabilities: > firefox-30.0_2,1 is vulnerable: > mozilla -- multiple vulnerabilities > CVE: CVE-2014-1561 > CVE: CVE-2014-1560 > CVE: CVE-2014-1559 > CVE: CVE-2014-1558 > CVE: CVE-2014-1557 > CVE: CVE-2014-1556 > CVE: CVE-2014-1555 > CVE: CVE-2014-1552 > CVE: CVE-2014-1551 > CVE: CVE-2014-1550 > CVE: CVE-2014-1549 > CVE: CVE-2014-1548 > CVE: CVE-2014-1547 > CVE: CVE-2014-1544 > WWW: > http://portaudit.FreeBSD.org/978b0f76-122d-11e4-afe3-bc5ff4fb5e7b.html > > 1 problem(s) in the installed packages found. > => Please update your ports tree and try again. > => Note: Vulnerable ports are marked as such even if there is no update > available. > => If you wish to ignore this vulnerability rebuild with 'make > DISABLE_VULNERABILITIES=yes' > *** [check-vulnerable] Error code 1 > > Stop in /common/ports/www/firefox. > *** [build] Error code 1 > > Stop in /common/ports/www/firefox. > > ===>>> make build failed for www/firefox > ===>>> Aborting update > > > As a reality check, I did take a quick look at > <http://docs.freebsd.org/mail/current/svn-ports-head.html> to see > if, perchance, there were commits to www/firefox to address those > reported vulnerabilities since r362876, but the most recent commit > I see there now is r362887 -- and none of the commits since r362876 > is about/for www/firefox (or anything related, AFAICT). > > So I'm left wondering how this is actually useful: I'm left with a copy > of firefox installed (more or less) that has known vulnerabilities and > is broken (since it's still linked against a library that no longer > exists). At least I was able to use a copy of firefox on a machine I > haven't started to upgrade yet (so I could refer to the cited Web > page(s)). > > Since I'm disinclined to globally disable all vulnerability checking, > I'm proceeding with updates to the ports that portmaster hadn't yet got > to first, before (temporarily) disabling the checks so I can have a > working graphical Web browser with which I'm familiar again. > > Which reminds me: the cited directive re. the libevent change (in > UPDATING): "pkg delete libevent" also deleted sysutils/tmux, so the > subsequent "portmaster -ad" had no clue that tmux was supposed to be > rebuilt. I was able to re-install it manually, but I mention this in > case it helps someone else. > > (Ugh. It appears that the "portmaster -aF" that I ran earlier this > morning didn't actually fetch the firefox-30.0.source.tar.bz2... wait > up; that should have been there already. Making me wait while that's > re-fetched is ... not good: I'm trying to get this laptop updated before > I go in to work this morning.... OK; I found a local copy on another > machine.) > > Peace, > david > -- > David H. Wolfskill da...@catwhisker.org > Taliban: Evil cowards with guns afraid of truth from a 14-year old girl. > > See http://www.catwhisker.org/~david/publickey.gpg for my public key. > David, Since the old firefox was vulnerable and we don't have a port of Firefox 31 yet, the best choice seems to be to install the new, libevent2 version (_2) with DISABLE_VULNERABILITIES defined so that it will still install. Obviously, you just set DISABLE_VULNERABILITIES for the firefox build and then unset it. Not ideal, but the only available work around. Also, the solver in pkg will re-install all dependent ports when a port is deleted. (It does ask first.) I just note the "extra" deleted ports and re-install. But I do wish we had had a hears-up on this as I lost gnuplot yesterday for quite a while which rather seriously impacted my web pages as new graphs were not being generated. After that first system, I was smarter, but there really needs to be a BIG warning in UPDATING and when pkg delete deletes dependent packages. There ought to be a better way, but -o does not help as libevent2 already existed. This one is VERY user unfriendly! -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkober...@gmail.com _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"