From owner-svn-doc-head@FreeBSD.ORG Thu Oct 16 12:30:43 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9B9689D6; Thu, 16 Oct 2014 12:30:43 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 867E1D64; Thu, 16 Oct 2014 12:30:43 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9GCUhpH001890; Thu, 16 Oct 2014 12:30:43 GMT (envelope-from ak@FreeBSD.org) Received: (from ak@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9GCUhSN001889; Thu, 16 Oct 2014 12:30:43 GMT (envelope-from ak@FreeBSD.org) Message-Id: <201410161230.s9GCUhSN001889@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: ak set sender to ak@FreeBSD.org using -f From: Alex Kozlov Date: Thu, 16 Oct 2014 12:30:43 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45838 - head/en_US.ISO8859-1/books/porters-handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2014 12:30:43 -0000 Author: ak (ports committer) Date: Thu Oct 16 12:30:42 2014 New Revision: 45838 URL: https://svnweb.freebsd.org/changeset/doc/45838 Log: - Document modern way to work with vulnerability database - Do some rewording, remove "you" and "your" where possible (special thanks to wblock) Reviewed by: mat, wblock Approved by: mat, wblock Differential Revision: https://reviews.freebsd.org/D941 Modified: head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Thu Oct 16 09:02:51 2014 (r45837) +++ head/en_US.ISO8859-1/books/porters-handbook/security/chapter.xml Thu Oct 16 12:30:42 2014 (r45838) @@ -114,16 +114,14 @@ also monitor it for issues requiring their intervention. - - If you have committer rights you can update the VuXML - database by yourself. So you will both help the Security - Officer Team and deliver the crucial information to the - community earlier. However, if you are not a committer, or - you believe you have found an exceptionally severe - vulnerability please do not hesitate to contact the Security - Officer Team directly as described on the - &os; - Security Information page. + Committers can update the VuXML + database themselves, assisting the Security Officer Team + and delivering crucial information to the community more + quickly. Those who are not committers or have discovered + an exceptionally severe vulnerability should not hesitate + to contact the Security Officer Team directly, as described + on the + &os; Security Information page. The VuXML database is an XML document. Its source file vuln.xml is kept right @@ -412,38 +410,19 @@ Testing Changes to the VuXML Database This example describes a new entry for a - vulnerability in the package clamav that - has been fixed in version 0.65_7. + vulnerability in the package dropbear that + has been fixed in version dropbear-2013.59. As a prerequisite, - install fresh versions of the ports - ports-mgmt/portaudit, - ports-mgmt/portaudit-db, and - security/vuxml. - - - The user running packaudit must have - permission to write to its DATABASEDIR, - typically /var/db/portaudit. - - To use a different directory, set the - DATABASEDIR environment variable to a - different location. - - If working in a directory other than - ${PORTSDIR}/security/vuxml, set the - VUXMLDIR environment variable to the - directory where vuln.xml is - located. - + install a fresh version of + security/vuxml port. First, check whether there already is an entry for this vulnerability. If there were such an entry, it would match the previous version of the package, - 0.65_6: + 2013.58: - &prompt.user; packaudit -&prompt.user; portaudit clamav-0.65_6 + &prompt.user; pkg audit dropbear-2013.58 If there is none found, add a new entry for this vulnerability. @@ -461,21 +440,10 @@ textproc/jade. - Now rebuild the portaudit database from - the VuXML file: - - &prompt.user; packaudit - - To verify that the <affected> - section of the entry will match the correct package(s), issue this - command: + Verify that the <affected> + section of the entry will match the correct packages: - &prompt.user; portaudit -f /usr/ports/INDEX -r uuid - - - Please refer to &man.portaudit.1; for better - understanding of the command syntax. - + &prompt.user; pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-2013.58 Make sure that the entry produces no spurious matches in the output. @@ -483,22 +451,18 @@ Now check whether the right package versions are matched by the entry: - &prompt.user; portaudit clamav-0.65_6 clamav-0.65_7 -Affected package: clamav-0.65_6 (matched by clamav<0.65_7) -Type of problem: clamav remote denial-of-service. -Reference: <http://www.freebsd.org/ports/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html> + &prompt.user; pkg audit -f ${PORTSDIR}/security/vuxml/vuln.xml dropbear-201 +3.58 dropbear-2013.59 +dropbear-2012.58 is vulnerable: +dropbear -- exposure of sensitive information, DoS +CVE: CVE-2013-4434 +CVE: CVE-2013-4421 +WWW: http://portaudit.FreeBSD.org/8c9b48d1-3715-11e3-a624-00262d8b701d.html -1 problem(s) found. +1 problem(s) in the installed packages found. The former version matches while the latter one does not. - - Finally, verify whether the web page generated from the - VuXML database looks like expected: - - &prompt.user; mkdir -p ~/public_html/portaudit -&prompt.user; packaudit -&prompt.user; lynx ~/public_html/portaudit/74a9541d-5d6c-11d8-80e3-0020ed76ef5a.html