From owner-freebsd-questions@FreeBSD.ORG Thu Jan 20 14:18:19 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D058916A4CE for ; Thu, 20 Jan 2005 14:18:19 +0000 (GMT) Received: from smtphost.cis.strath.ac.uk (smtphost.cis.strath.ac.uk [130.159.196.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38D7643D2D for ; Thu, 20 Jan 2005 14:18:19 +0000 (GMT) (envelope-from chodgins@cis.strath.ac.uk) Received: from [192.168.0.2] (chrishodgins.force9.co.uk [84.92.20.141]) j0KEI8aG026846; Thu, 20 Jan 2005 14:18:09 GMT Message-ID: <41EFBEAC.7090902@cis.strath.ac.uk> Date: Thu, 20 Jan 2005 14:22:36 +0000 From: Chris Hodgins User-Agent: Mozilla Thunderbird 1.0 (X11/20050113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Seaman References: <41EFA629.8010707@cis.strath.ac.uk> <20050120141400.GA98085@gravitas.thebunker.net> In-Reply-To: <20050120141400.GA98085@gravitas.thebunker.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CIS-MailScanner-Information: Please contact support@cis.strath.ac.uk for more information X-CIS-MailScanner: Found to be clean X-CIS-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 6) X-CIS-MailScanner-From: chodgins@cis.strath.ac.uk cc: freebsd-questions@freebsd.org Subject: Re: pdflib for php X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 14:18:19 -0000 Matthew Seaman wrote: > On Thu, Jan 20, 2005 at 12:38:01PM +0000, Chris Hodgins wrote: > >>Thanos Tsouanas wrote: >> >>>On Thu, Jan 20, 2005 at 12:11:04PM +0200, Cristi Tauber wrote: >>> >>> >>>>===> pdflib-6.0.1 is forbidden: >>>>http://vuxml.freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html. >>>> >>>> Forbidden ? Why ? anyone ... >>> >>> >>>Yes this one: just follow the link. (pretty obvious ;)) >>> >>>If you insist in installing the port, 'un' break it manually. >>> >>>HTH >>> >> >>Purely out of curiosity.. when a possible exploit such as this is >>discovered in a port and a patch is provided, why is it not patched >>immediately? I understand that when a vulnerability is discovered it is >>important to look for similar bugs in the file and also the entire port. >> Is this what takes the time or is it purely a maintainer finding the >>time to update it? >> >>Again this is just out of curiosity and not related to this port in >>particular. > > > Yes -- it's just waiting for the maintainer to provide an update. > Most maintainers in this situation will send-pr(1) a fix within a day > or so. The security team will generally prod (via e-mail) any port > maintainer when they add a VuXML entry concerning their port -- unless > it was the port maintainer that told them about the problem in the > first place, which does happen occasionally. > > PRs applying updates to ports and marked 'Security' and/or CC'd to the > security team tend to get committed PDQ, even during the middle of a > ports freeze. > > Depending on the responsiveness of the maintainer and/or the severity > of the vulnerability and/or availability of patches a port may either > be marked 'FORBIDDEN' or pre-emptively patched without the > maintainer's involvement, but those are both quite rare events. > > You can always override the vulnerability checking by setting > 'DISABLE_VULNERABILITIES=yes' in the environment. Often this makes > sense to do, but only once you've read through the background material > from the VuXML document -- eg. the vulnerability may permit privilege > escalation for local users, which would be bad ju-ju if you were > running a public access shell server, but no biggie if it was on your > personal desktop box that only you would ever use. > > Cheers, > > Matthew > Thanks. That was very informative. :) Chris