From owner-freebsd-ports@FreeBSD.ORG  Sat Jan  1 16:46:21 2011
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 66250106566B
	for <freebsd-ports@freebsd.org>; Sat,  1 Jan 2011 16:46:21 +0000 (UTC)
	(envelope-from wblock@wonkity.com)
Received: from wonkity.com (wonkity.com [67.158.26.137])
	by mx1.freebsd.org (Postfix) with ESMTP id 0DB418FC12
	for <freebsd-ports@freebsd.org>; Sat,  1 Jan 2011 16:46:20 +0000 (UTC)
Received: from wonkity.com (localhost [127.0.0.1])
	by wonkity.com (8.14.4/8.14.4) with ESMTP id p01GFa4p092941;
	Sat, 1 Jan 2011 09:15:36 -0700 (MST)
	(envelope-from wblock@wonkity.com)
Received: from localhost (wblock@localhost)
	by wonkity.com (8.14.4/8.14.4/Submit) with ESMTP id p01GFZt0092938;
	Sat, 1 Jan 2011 09:15:36 -0700 (MST)
	(envelope-from wblock@wonkity.com)
Date: Sat, 1 Jan 2011 09:15:35 -0700 (MST)
From: Warren Block <wblock@wonkity.com>
To: Kevin Kreamer <kevin@kreamer.org>
In-Reply-To: <AANLkTi=3C7GtzZZU8oOEeiXH_R_1CETN6tsvmTgTgvR+@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.1101010906330.92884@wonkity.com>
References: <AANLkTi=3C7GtzZZU8oOEeiXH_R_1CETN6tsvmTgTgvR+@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6
	(wonkity.com [127.0.0.1]); Sat, 01 Jan 2011 09:15:36 -0700 (MST)
Cc: freebsd-ports@freebsd.org
Subject: Re: Security updates for packages?
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jan 2011 16:46:21 -0000

On Sun, 12 Dec 2010, Kevin Kreamer wrote:

> Having not used FreeBSD for several years, I did a fresh install yesterday
> of 8.1-RELEASE, and then used pkg_add -r to install several packages.  I
> then came across portaudit, ran it, and it indicated that I had three
> vulnerable packages (git, ruby, and sudo). Looking at
> http://www.vuxml.org/freebsd/, it appears that these were reported in July,
> August, and September respectively.

You got the packages as they were at the release of 8.1 (July 23, 2010).

> Basically, I would think a freshly installed system would not have security
> vulnerabilities from months prior.  Is that an erroneous assumption on my
> part, am I just misunderstanding something, or do I have something
> misconfigured?

It's done (I think) to provide a known-working set of packages.  The 
same effect is seen when things are installed from ports without 
updating the ports tree first; it's a snapshot at that time.

You can adjust the PACKAGEROOT or PACKAGESITE variables.  See 
pkg_add(1).  Or switch to using ports, updating the ports tree before 
installing or updating applications.