On Fri, Jul 25, 2014 at 5:45 AM, David Wolfskill da...@catwhisker.org
wrote:
/usr/ports is a working copy of head@r362876; during my daily portmaster
run to update all installed ports on my laptop, I see that libevent1 is
now replaced by libevent2.
Apparently www/firefox had been linked against libevent, so portmaster
tries to update www/firefox (after having updated several other ports).
That process terminates rather abrutly, however:
=== All firefox-30.0_1,1 (12/15)
0;portmaster: All firefox-30.0_1,1 (12/15)^G
=== Cleaning for firefox-30.0_2,1
=== firefox-30.0_2,1 has known vulnerabilities:
firefox-30.0_2,1 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2014-1561
CVE: CVE-2014-1560
CVE: CVE-2014-1559
CVE: CVE-2014-1558
CVE: CVE-2014-1557
CVE: CVE-2014-1556
CVE: CVE-2014-1555
CVE: CVE-2014-1552
CVE: CVE-2014-1551
CVE: CVE-2014-1550
CVE: CVE-2014-1549
CVE: CVE-2014-1548
CVE: CVE-2014-1547
CVE: CVE-2014-1544
WWW:
http://portaudit.FreeBSD.org/978b0f76-122d-11e4-afe3-bc5ff4fb5e7b.html
1 problem(s) in the installed packages found.
= Please update your ports tree and try again.
= Note: Vulnerable ports are marked as such even if there is no update
available.
= If you wish to ignore this vulnerability rebuild with 'make
DISABLE_VULNERABILITIES=yes'
*** [check-vulnerable] Error code 1
Stop in /common/ports/www/firefox.
*** [build] Error code 1
Stop in /common/ports/www/firefox.
=== make build failed for www/firefox
=== Aborting update
As a reality check, I did take a quick look at
http://docs.freebsd.org/mail/current/svn-ports-head.html to see
if, perchance, there were commits to www/firefox to address those
reported vulnerabilities since r362876, but the most recent commit
I see there now is r362887 -- and none of the commits since r362876
is about/for www/firefox (or anything related, AFAICT).
So I'm left wondering how this is actually useful: I'm left with a copy
of firefox installed (more or less) that has known vulnerabilities and
is broken (since it's still linked against a library that no longer
exists). At least I was able to use a copy of firefox on a machine I
haven't started to upgrade yet (so I could refer to the cited Web
page(s)).
Since I'm disinclined to globally disable all vulnerability checking,
I'm proceeding with updates to the ports that portmaster hadn't yet got
to first, before (temporarily) disabling the checks so I can have a
working graphical Web browser with which I'm familiar again.
Which reminds me: the cited directive re. the libevent change (in
UPDATING): pkg delete libevent also deleted sysutils/tmux, so the
subsequent portmaster -ad had no clue that tmux was supposed to be
rebuilt. I was able to re-install it manually, but I mention this in
case it helps someone else.
(Ugh. It appears that the portmaster -aF that I ran earlier this
morning didn't actually fetch the firefox-30.0.source.tar.bz2... wait
up; that should have been there already. Making me wait while that's
re-fetched is ... not good: I'm trying to get this laptop updated before
I go in to work this morning OK; I found a local copy on another
machine.)
Peace,
david
--
David H. Wolfskill da...@catwhisker.org
Taliban: Evil cowards with guns afraid of truth from a 14-year old girl.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
David,
Since the old firefox was vulnerable and we don't have a port of Firefox 31
yet, the best choice seems to be to install the new, libevent2 version (_2)
with DISABLE_VULNERABILITIES defined so that it will still install.
Obviously, you just set DISABLE_VULNERABILITIES for the firefox build and
then unset it. Not ideal, but the only available work around.
Also, the solver in pkg will re-install all dependent ports when a port is
deleted. (It does ask first.) I just note the extra deleted ports and
re-install. But I do wish we had had a hears-up on this as I lost gnuplot
yesterday for quite a while which rather seriously impacted my web pages as
new graphs were not being generated. After that first system, I was
smarter, but there really needs to be a BIG warning in UPDATING and when
pkg delete deletes dependent packages. There ought to be a better way, but
-o does not help as libevent2 already existed. This one is VERY user
unfriendly!
--
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkober...@gmail.com
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org