Re: PHP vulnerability and portupgrade

Tue, 21 Dec 2004 18:01:30 -0800 

> On Wednesday 22 December 2004 09:06, Mark Andrews wrote:
> > > Hello,
> > >
> > > Due to the recently discovered vulnerability in PHP versions older than
> > > 4.3.10 and 5.0.3, I decided to take a look at portupgrade to see if it
> > > is a good way to keep the ports collection up-to-date with respect to
> > > security issues. I ran cvsup on the security branch (tag=RELENG_5_3),
> > > then portsdb -Uu. However, portupgrade didn't find any ports that
> > > needed an upgrade.
> > >
> > > Am I doing something wrong or is portupgrade not the best tool to keep
> > > up with security advisories in ports?
> >
> >  cvsup of ports does not use tag=RELENG_5_3.
> >
> >  e.g.
> >   *default  host=cvsup.FreeBSD.org
> >   *default  base=/usr
> >   *default  prefix=/usr
> >   *default  release=cvs
> >   *default  delete use-rel-suffix
> >   *default  tag=.
> >   ports-all
> >
> >  Use portaudit to track security issues in ports.
> 
> Thanks a lot for your reply. If I understand things correctly, I need to 
> maintain two cvsup files - one that tracks security issues in the base 
> FreeBSD 5.3 system (tag=RELENG_5_3, src-all) and one for the ports 
> collection (tag=. , ports-all). Then every time I receive a FreeBSD 
> security advisory I run cvsup on the former, and every time portaudit tells 
> me about a new security issue in the ports collection, I run cvsup on the 
> latter, then use portupgrade to upgrade vulnerable ports.
> 
> Is this correct?

        Essentually.  When you install portaudit it will be run as
        part of the daily periodic jobs provided the FreeBSD version
        is new enough (which 5.3 is).

        How you treat each reported issue is up to you.  Some do not
        have a fix yet.  You need to decide if you can live with
        vulnerability or not.
 
> I went through the security chapter of the FreeBSD handbook, but I found it 
> disappointing that it doesn't explain how to keep a FreeBSD system 
> up-to-date of security issues. Also, "The Complete FreeBSD" book by Greg 
> Lehey doesn't even mention the existence of portaudit.
> 
> Thanks again :-)
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to