Date: Thu, 10 Apr 2014 21:35:05 +0300 From: Janne Snabb <snabb@epipe.com> To: freebsd-ports@freebsd.org, freebsd security <freebsd-security@freebsd.org> Subject: Missing binary package security updates? Message-ID: <5346E459.3020207@epipe.com>
next in thread | raw e-mail | index | archive | help
Hi, I recently started using the new fancy pkgng binary packages on some machines that I maintain. I thought I could save a lot of time as I would not need to keep compiling ports manually any more. Unfortunately it seems that it was not such a good idea: # date Thu Apr 10 21:27:22 EEST 2014 # pkg audit openssl-1.0.1_9 is vulnerable: OpenSSL -- Multiple vulnerabilities - private data exposure CVE: CVE-2014-0076 CVE: CVE-2014-0160 WWW: http://portaudit.FreeBSD.org/5631ae98-be9e-11e3-b5e3-c80aa9043978.html 1 problem(s) in the installed packages found. # pkg upgrade Updating repository catalogue Nothing to do # This is on FreeBSD 8/i386. I think I have noticed binary package updates only about once a week. Is my observation correct? Why such an infrequent update cycle? If there is some real reason to build package updates so rarely, would it be possible to hasten the cycle whenever serious issues like CVE-2014-0160 are found? Right now pkgng binary packages are not really suitable for production use because of lacking essential security updates. (There should be a loud and clear warning about this in the Handbook if it stays this way?) Best Regards, -- Janne Snabb snabb@epipe.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5346E459.3020207>