Date: Fri, 23 Nov 2012 14:37:35 +0100 From: Matthieu Volat <mazhe@alkumuna.eu> To: freebsd-ports@freebsd.org Subject: Re: Opera vulnerability, marked forbidden instead of update? Message-ID: <20121123143735.90c91a7d81dc73c39764bcd8@alkumuna.eu> In-Reply-To: <50AF3B4B.9030704@freebsd.org> References: <20121123092631.3b0aff2f0902e02098c273b4@alkumuna.eu> <50AF3B4B.9030704@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Nov 2012 09:00:59 +0000 Matthew Seaman <matthew@freebsd.org> wrote: > On 23/11/2012 08:26, Matthieu Volat wrote: > > I've noticed that www/opera was marked FORBIDDEN because of a security hole: > > http://www.freebsd.org/cgi/getmsg.cgi?fetch=614275+0+current/svn-ports-head > > > > The opera software compagny advisory indeed mark this bug as high severity, and mention that there is an update to fix it. > > > > I am not familiar with the security process in ports, but would not it be better to update the version? Marking it FORBIDDEN do not do much for the userbase that does already have it installed. > > > > I've bumped the versions in the Makefile > > OPERA_VER?= 12.11 > > OPERA_BUILD?= 1661 > > and made a `make makesum reinstall`, there was no apparent problem. > > Marking a port 'FORBIDDEN' is a quick response measure that can be done > without having to worry about time consuming testing the of port and so > forth. It's an interim measure taken to ensure that users do not > unwittingly install software with known vulnerabilities. > > Yes, updating the port to a non-vulnerable version is the ideal > response, but that may not be possible to do straight away. You've > sketched out the first couple of steps a port maintainer would take, but > that 'there was no apparent problem' statement would need to be backed > up by some more rigorous testing before a maintainer would feel > confident in committing the update. > > Cheers, > > Matthew > _______________________________________________ > freebsd-ports@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" Hello and thanks for the explanation, Cheers, -- Matthieu Volat <mazhe@alkumuna.eu>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121123143735.90c91a7d81dc73c39764bcd8>