Re: ICU Portupdate faulty

[Jos Chrispijn]

Dear team,

Thanks for your suggestions and solution. You really raised my learning 
curve here.


Regards,
Jos Chrispijn

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Jos Chrispijn]

Thanks y'all for your support - this was a real eye opener.

Best regards,
Jos

Op 5-5-2017 om 19:19 schreef Kevin Oberman:
On Fri, May 5, 2017 at 6:37 AM, Jos Chrispijn 
> wrote:



Op 5-5-2017 om 18:05 schreef Adam Weinberger:

On 5 May, 2017, at 9:48, mokhi > wrote:

Well, as I can see here <
http://www.freshports.org/devel/icu/
 > an
older version of this port is vulnerable not current version.
Maybe by updating your tree your problem will be solved :-]

Yes, this is the correct answer. After icu got patched, the
VuXML entry was lowered to mark 58.2_2,1 as non-vulnerable.
Jos, it sounds like your ports tree is after the icu update
but before the VuXML modification. Update your ports tree to
bring in the new VuXML file and you should be good.

Adam, perhaps I am missing the clue here:

- I had the correct updated version in my ports collection
- Updating the vulnerable installed icu version with that version
should not provide the Vulnerability message as that version is
updates with the correct version in my icu port.

In my case, Jim's suggestion to use "DISABLE_VULNERABILITIES=yes"
was the only way of getting my faulty icu version updated to the
version that is in my port.

Kind of confused,
Jos 



The VuXML DB is not a part of the ports tree. It is usually updated by 
the nightly periodic script, but you can manually fetch it with "pkg 
audit -F -q".

--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com 
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Adam Weinberger]

> On 5 May, 2017, at 11:13, Matthew D. Fuller  wrote:
> 
> On Fri, May 05, 2017 at 10:05:05AM -0600 I heard the voice of
> Adam Weinberger, and lo! it spake thus:
>> 
>> Yes, this is the correct answer. After icu got patched, the VuXML
>> entry was lowered to mark 58.2_2,1 as non-vulnerable. Jos, it sounds
>> like your ports tree is after the icu update but before the VuXML
>> modification. Update your ports tree to bring in the new VuXML file
>> and you should be good.
> 
> No, it's not looking at the vuxml file right in ports.  It'll be using
> the audit file downloaded nightly as part of
> /usr/local/etc/periodic/security/410.pkg-audit, so it'll always be ~a
> day out of date.  Run `pkg audit -F` manually to kick a refetch of the
> latest.

Ah! You and Kevin are completely right. Thank you for giving Jos the right 
answer.

# Adam


-- 
Adam Weinberger
ad...@adamw.org
https://www.adamw.org

___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Kevin Oberman]

On Fri, May 5, 2017 at 6:37 AM, Jos Chrispijn 
wrote:

>
> Op 5-5-2017 om 18:05 schreef Adam Weinberger:
>
>> On 5 May, 2017, at 9:48, mokhi  wrote:
>>>
>>> Well, as I can see here < http://www.freshports.org/devel/icu/ > an
>>> older version of this port is vulnerable not current version.
>>> Maybe by updating your tree your problem will be solved :-]
>>>
>> Yes, this is the correct answer. After icu got patched, the VuXML entry
>> was lowered to mark 58.2_2,1 as non-vulnerable. Jos, it sounds like your
>> ports tree is after the icu update but before the VuXML modification.
>> Update your ports tree to bring in the new VuXML file and you should be
>> good.
>>
> Adam, perhaps I am missing the clue here:
>
> - I had the correct updated version in my ports collection
> - Updating the vulnerable installed icu version with that version should
> not provide the Vulnerability message as that version is updates with the
> correct version in my icu port.
>
> In my case, Jim's suggestion to use "DISABLE_VULNERABILITIES=yes" was the
> only way of getting my faulty icu version updated to the version that is in
> my port.
>
> Kind of confused,
> Jos


The VuXML DB is not a part of the ports tree. It is usually updated by the
nightly periodic script, but you can manually fetch it with "pkg audit -F
-q".
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Matthew D. Fuller]

On Fri, May 05, 2017 at 10:05:05AM -0600 I heard the voice of
Adam Weinberger, and lo! it spake thus:
> 
> Yes, this is the correct answer. After icu got patched, the VuXML
> entry was lowered to mark 58.2_2,1 as non-vulnerable. Jos, it sounds
> like your ports tree is after the icu update but before the VuXML
> modification. Update your ports tree to bring in the new VuXML file
> and you should be good.

No, it's not looking at the vuxml file right in ports.  It'll be using
the audit file downloaded nightly as part of
/usr/local/etc/periodic/security/410.pkg-audit, so it'll always be ~a
day out of date.  Run `pkg audit -F` manually to kick a refetch of the
latest.


-- 
Matthew Fuller (MF4839)   |  fulle...@over-yonder.net
Systems/Network Administrator |  http://www.over-yonder.net/~fullermd/
   On the Internet, nobody can hear you scream.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Jos Chrispijn]

Op 5-5-2017 om 18:05 schreef Adam Weinberger:

On 5 May, 2017, at 9:48, mokhi  wrote:

Well, as I can see here < http://www.freshports.org/devel/icu/ > an
older version of this port is vulnerable not current version.
Maybe by updating your tree your problem will be solved :-]

Yes, this is the correct answer. After icu got patched, the VuXML entry was 
lowered to mark 58.2_2,1 as non-vulnerable. Jos, it sounds like your ports tree 
is after the icu update but before the VuXML modification. Update your ports 
tree to bring in the new VuXML file and you should be good.

Adam, perhaps I am missing the clue here:

- I had the correct updated version in my ports collection
- Updating the vulnerable installed icu version with that version should 
not provide the Vulnerability message as that version is updates with 
the correct version in my icu port.


In my case, Jim's suggestion to use "DISABLE_VULNERABILITIES=yes" was 
the only way of getting my faulty icu version updated to the version 
that is in my port.


Kind of confused,
Jos
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Jos Chrispijn]

Yes I noticed as well.
Point is that after updating my tree, the issue still exists allthough I 
have th correct portupdate in my ports.


Let me check what is going wrong here.

Thanks,
Jos

Op 5-5-2017 om 17:48 schreef mokhi:

Well, as I can see here < http://www.freshports.org/devel/icu/ > an
older version of this port is vulnerable not current version.
Maybe by updating your tree your problem will be solved :-]


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Adam Weinberger]

> On 5 May, 2017, at 9:48, mokhi  wrote:
> 
> Well, as I can see here < http://www.freshports.org/devel/icu/ > an
> older version of this port is vulnerable not current version.
> Maybe by updating your tree your problem will be solved :-]

Yes, this is the correct answer. After icu got patched, the VuXML entry was 
lowered to mark 58.2_2,1 as non-vulnerable. Jos, it sounds like your ports tree 
is after the icu update but before the VuXML modification. Update your ports 
tree to bring in the new VuXML file and you should be good.

# Adam


-- 
Adam Weinberger
ad...@adamw.org
https://www.adamw.org


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[mokhi]

Well, as I can see here < http://www.freshports.org/devel/icu/ > an
older version of this port is vulnerable not current version.
Maybe by updating your tree your problem will be solved :-]
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Jim Ohlstein]

Hello,

On 05/05/2017 11:37 AM, Jos Chrispijn wrote:

I am really not a fan of that.

Better would be to solve the 'vulneratbilities' issue.
/Jos


The vulnerabilites are outlined in 
http://www.vuxml.org/freebsd/607f8b57-7454-42c6-a88a-8706f327076d.html 
and appear to be patched in devel/icu 58.2_2,1 committed yesterday. See 
https://svnweb.freebsd.org/ports?view=revision=440117.




Op 5-5-2017 om 17:24 schreef mokhi:

It seems the port has known vulnerabilities.
If you are sure about what you are doing, run the make command with
"DISABLE_VULNERABILITIES=yes" option as it suggests.


--
Jim Ohlstein
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[Jos Chrispijn]

I am really not a fan of that.

Better would be to solve the 'vulneratbilities' issue.
/Jos

Op 5-5-2017 om 17:24 schreef mokhi:

It seems the port has known vulnerabilities.
If you are sure about what you are doing, run the make command with
"DISABLE_VULNERABILITIES=yes" option as it suggests.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"


___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Re: ICU Portupdate faulty

[mokhi]

It seems the port has known vulnerabilities.
If you are sure about what you are doing, run the make command with
"DISABLE_VULNERABILITIES=yes" option as it suggests.
___
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"