www/firefox vs. vulnerabilities vs. libevent -- libevent2

[David Wolfskill]

/usr/ports is a working copy of head@r362876; during my daily portmaster
run to update all installed ports on my laptop, I see that libevent1 is
now replaced by libevent2.

Apparently www/firefox had been linked against libevent, so portmaster
tries to update www/firefox (after having updated several other ports).

That process terminates rather abrutly, however:

=== All  firefox-30.0_1,1 (12/15)
0;portmaster: All  firefox-30.0_1,1 (12/15)^G
===  Cleaning for firefox-30.0_2,1
===  firefox-30.0_2,1 has known vulnerabilities:
firefox-30.0_2,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2014-1561
CVE: CVE-2014-1560
CVE: CVE-2014-1559
CVE: CVE-2014-1558
CVE: CVE-2014-1557
CVE: CVE-2014-1556
CVE: CVE-2014-1555
CVE: CVE-2014-1552
CVE: CVE-2014-1551
CVE: CVE-2014-1550
CVE: CVE-2014-1549
CVE: CVE-2014-1548
CVE: CVE-2014-1547
CVE: CVE-2014-1544
WWW: http://portaudit.FreeBSD.org/978b0f76-122d-11e4-afe3-bc5ff4fb5e7b.html

1 problem(s) in the installed packages found.
= Please update your ports tree and try again.
= Note: Vulnerable ports are marked as such even if there is no update 
available.
= If you wish to ignore this vulnerability rebuild with 'make 
DISABLE_VULNERABILITIES=yes'
*** [check-vulnerable] Error code 1

Stop in /common/ports/www/firefox.
*** [build] Error code 1

Stop in /common/ports/www/firefox.

=== make build failed for www/firefox
=== Aborting update


As a reality check, I did take a quick look at
http://docs.freebsd.org/mail/current/svn-ports-head.html to see
if, perchance, there were commits to www/firefox to address those
reported vulnerabilities since r362876, but the most recent commit
I see there now is r362887 -- and none of the commits since r362876
is about/for www/firefox (or anything related, AFAICT).

So I'm left wondering how this is actually useful: I'm left with a copy
of firefox installed (more or less) that has known vulnerabilities and
is broken (since it's still linked against a library that no longer
exists).  At least I was able to use a copy of firefox on a machine I
haven't started to upgrade yet (so I could refer to the cited Web
page(s)).

Since I'm disinclined to globally disable all vulnerability checking,
I'm proceeding with updates to the ports that portmaster hadn't yet got
to first, before (temporarily) disabling the checks so I can have a
working graphical Web browser with which I'm familiar again.

Which reminds me: the cited directive re. the libevent change (in
UPDATING): pkg delete libevent also deleted sysutils/tmux, so the
subsequent portmaster -ad had no clue that tmux was supposed to be
rebuilt.  I was able to re-install it manually, but I mention this in
case it helps someone else.

(Ugh.  It appears that the portmaster -aF that I ran earlier this
morning didn't actually fetch the firefox-30.0.source.tar.bz2... wait
up; that should have been there already.  Making me wait while that's
re-fetched is ... not good: I'm trying to get this laptop updated before
I go in to work this morning  OK; I found a local copy on another
machine.)

Peace,
david
-- 
David H. Wolfskill  da...@catwhisker.org
Taliban: Evil cowards with guns afraid of truth from a 14-year old girl.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.


pgp32Bp0lXhqQ.pgp
Description: PGP signature

Re: www/firefox vs. vulnerabilities vs. libevent -- libevent2

[Kevin Oberman]

On Fri, Jul 25, 2014 at 5:45 AM, David Wolfskill da...@catwhisker.org
wrote:

 /usr/ports is a working copy of head@r362876; during my daily portmaster
 run to update all installed ports on my laptop, I see that libevent1 is
 now replaced by libevent2.

 Apparently www/firefox had been linked against libevent, so portmaster
 tries to update www/firefox (after having updated several other ports).

 That process terminates rather abrutly, however:

 === All  firefox-30.0_1,1 (12/15)
 0;portmaster: All  firefox-30.0_1,1 (12/15)^G
 ===  Cleaning for firefox-30.0_2,1
 ===  firefox-30.0_2,1 has known vulnerabilities:
 firefox-30.0_2,1 is vulnerable:
 mozilla -- multiple vulnerabilities
 CVE: CVE-2014-1561
 CVE: CVE-2014-1560
 CVE: CVE-2014-1559
 CVE: CVE-2014-1558
 CVE: CVE-2014-1557
 CVE: CVE-2014-1556
 CVE: CVE-2014-1555
 CVE: CVE-2014-1552
 CVE: CVE-2014-1551
 CVE: CVE-2014-1550
 CVE: CVE-2014-1549
 CVE: CVE-2014-1548
 CVE: CVE-2014-1547
 CVE: CVE-2014-1544
 WWW:
 http://portaudit.FreeBSD.org/978b0f76-122d-11e4-afe3-bc5ff4fb5e7b.html

 1 problem(s) in the installed packages found.
 = Please update your ports tree and try again.
 = Note: Vulnerable ports are marked as such even if there is no update
 available.
 = If you wish to ignore this vulnerability rebuild with 'make
 DISABLE_VULNERABILITIES=yes'
 *** [check-vulnerable] Error code 1

 Stop in /common/ports/www/firefox.
 *** [build] Error code 1

 Stop in /common/ports/www/firefox.

 === make build failed for www/firefox
 === Aborting update


 As a reality check, I did take a quick look at
 http://docs.freebsd.org/mail/current/svn-ports-head.html to see
 if, perchance, there were commits to www/firefox to address those
 reported vulnerabilities since r362876, but the most recent commit
 I see there now is r362887 -- and none of the commits since r362876
 is about/for www/firefox (or anything related, AFAICT).

 So I'm left wondering how this is actually useful: I'm left with a copy
 of firefox installed (more or less) that has known vulnerabilities and
 is broken (since it's still linked against a library that no longer
 exists).  At least I was able to use a copy of firefox on a machine I
 haven't started to upgrade yet (so I could refer to the cited Web
 page(s)).

 Since I'm disinclined to globally disable all vulnerability checking,
 I'm proceeding with updates to the ports that portmaster hadn't yet got
 to first, before (temporarily) disabling the checks so I can have a
 working graphical Web browser with which I'm familiar again.

 Which reminds me: the cited directive re. the libevent change (in
 UPDATING): pkg delete libevent also deleted sysutils/tmux, so the
 subsequent portmaster -ad had no clue that tmux was supposed to be
 rebuilt.  I was able to re-install it manually, but I mention this in
 case it helps someone else.

 (Ugh.  It appears that the portmaster -aF that I ran earlier this
 morning didn't actually fetch the firefox-30.0.source.tar.bz2... wait
 up; that should have been there already.  Making me wait while that's
 re-fetched is ... not good: I'm trying to get this laptop updated before
 I go in to work this morning  OK; I found a local copy on another
 machine.)

 Peace,
 david
 --
 David H. Wolfskill  da...@catwhisker.org
 Taliban: Evil cowards with guns afraid of truth from a 14-year old girl.

 See http://www.catwhisker.org/~david/publickey.gpg for my public key.


David,

Since the old firefox was vulnerable and we don't have a port of Firefox 31
yet, the best choice seems to be to install the new, libevent2 version (_2)
with DISABLE_VULNERABILITIES defined so that it will still install.
Obviously, you just set DISABLE_VULNERABILITIES for the firefox build and
then unset it. Not ideal, but the only available work around.

Also, the solver in pkg will re-install all dependent ports when a port is
deleted. (It does ask first.) I just note the extra deleted ports and
re-install. But I do wish we had had a hears-up on this as I lost gnuplot
yesterday for quite a while which rather seriously impacted my web pages as
new graphs were not being generated. After that first system, I was
smarter, but there really needs to be a BIG warning in UPDATING and when
pkg delete deletes dependent packages. There ought to be a better way, but
-o does not help as libevent2 already existed. This one is VERY user
unfriendly!
--
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkober...@gmail.com
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org