Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 May 2005 09:58:17 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Robert S <robert.spam.me.senseless@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: portaudit: recommended packages can't be installed
Message-ID:  <20050521165817.GA19062@xor.obsecurity.org>
In-Reply-To: <7093dffb05052106296c487773@mail.gmail.com>
References:  <7093dffb05052106296c487773@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, May 21, 2005 at 01:29:11PM +0000, Robert S wrote:
> 8I've just started playing around with FreeBSD.  One of my main
> priorities of an OS is ease of upgrading.  If I run portaudit, I get a
> list of insecure packages (here is an excerpt from the output):
>=20
> Affected package: firefox-1.0.3,1
> Type of problem: mozilla -- code execution via javascript: IconURL
> vulnerability.
> Reference: <http://www.FreeBSD.org/ports/portaudit/eca6195a-c233-11d9-804=
c-02061b08fc24.html>
>=20
> Affected package: kdelibs-3.4.0_1
> Type of problem: kdelibs -- kimgio input validation errors.
> Reference: <http://www.FreeBSD.org/ports/portaudit/06404241-b306-11d9-a78=
8-0001020eed82.html>
>=20
> 4 problem(s) in your installed packages found.
>=20
> You are advised to update or deinstall the affected package(s) immediatel=
y.
> freebsd #
>=20
> If I try to replace kdelibs with a binary package, or install it
> through ports (after doing a cvsup), I still get verion 3.4.0_1.
>=20
> Are fixes not necessarily made available when security vulnerabilities
> are found?

Not instantly, of course..and in some cases they are not fixed for a
long time.  The third party software in the ports collection is
maintained to different standards depending on the project.  If you
have questions, you should contact those third party developers.

> Also -- is there a similar utility to portaudit and freebsd-update,
> that can be used on the base operating system (not through ports)?

freebsd update works on the base system.

Kris
--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCj2ipWry0BWjoQKURAnmpAKD5a0g6LceUqGDsXzTaxR+rMyFJlwCcC0ze
ubYBEQHJYMGgD6YfAdjbFuo=
=fCnG
-----END PGP SIGNATURE-----

--3V7upXqbjpZ4EhLz--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050521165817.GA19062>