Date: Sun, 22 Aug 2004 22:40:50 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: Pete Fritchman <petef@absolutbsd.org> Subject: Re: determining vulnerable FreeBSD system components [Was: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml] Message-ID: <8D9F2B2C-F47B-11D8-8CAA-00039312D914@fillmore-labs.com> In-Reply-To: <20040822194025.GB17478@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Jacques A. Vidrine wrote: > I don't think ident information is all that useful, and I *know* > that it is a PITA to maintain. Jup, I realized that the cvs binary doesn't contain enough information to be identifiable with ident(1). > [...] > The only practical way to specify affected versions of the system > is with a patch level as we've done for years. e.g. 4.8-RELEASE-p9 > is unaffected, all those before are not. This is analogous to the > situation with ports... we use the package version number, not the > revision numbers of the Makefile and associated ports skeleton files, > nor the revision numbers of the original source files or anything > silly like that. We use the administratively maintained package > number with PORTEPOCH, PORTREVISION and such. Yup. We should use __FreeBSD_version for -STABLE and -CURRENT, since this is easy determinable. I now -CURRENT is not supported, but it would be useful nevertheless. I don't know how to handle release branches though. Especially when only the affected binary is patched, without rebooting the system (and possibly bumping __FreeBSD_version). Maybe we should invent some kind of global registry where the (security) patches applied are recorded. -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8D9F2B2C-F47B-11D8-8CAA-00039312D914>