Date: Sat, 1 Jan 2011 09:15:35 -0700 (MST) From: Warren Block <wblock@wonkity.com> To: Kevin Kreamer <kevin@kreamer.org> Cc: freebsd-ports@freebsd.org Subject: Re: Security updates for packages? Message-ID: <alpine.BSF.2.00.1101010906330.92884@wonkity.com> In-Reply-To: <AANLkTi=3C7GtzZZU8oOEeiXH_R_1CETN6tsvmTgTgvR%2B@mail.gmail.com> References: <AANLkTi=3C7GtzZZU8oOEeiXH_R_1CETN6tsvmTgTgvR%2B@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 12 Dec 2010, Kevin Kreamer wrote: > Having not used FreeBSD for several years, I did a fresh install yesterday > of 8.1-RELEASE, and then used pkg_add -r to install several packages. I > then came across portaudit, ran it, and it indicated that I had three > vulnerable packages (git, ruby, and sudo). Looking at > http://www.vuxml.org/freebsd/, it appears that these were reported in July, > August, and September respectively. You got the packages as they were at the release of 8.1 (July 23, 2010). > Basically, I would think a freshly installed system would not have security > vulnerabilities from months prior. Is that an erroneous assumption on my > part, am I just misunderstanding something, or do I have something > misconfigured? It's done (I think) to provide a known-working set of packages. The same effect is seen when things are installed from ports without updating the ports tree first; it's a snapshot at that time. You can adjust the PACKAGEROOT or PACKAGESITE variables. See pkg_add(1). Or switch to using ports, updating the ports tree before installing or updating applications.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1101010906330.92884>