/usr/ports is a working copy of head@r362876; during my daily portmaster run to update all installed ports on my laptop, I see that libevent1 is now replaced by libevent2.
Apparently www/firefox had been linked against libevent, so portmaster tries to update www/firefox (after having updated several other ports). That process terminates rather abrutly, however: ===>>> All >> firefox-30.0_1,1 (12/15) 0;portmaster: All >> firefox-30.0_1,1 (12/15)^G ===> Cleaning for firefox-30.0_2,1 ===> firefox-30.0_2,1 has known vulnerabilities: firefox-30.0_2,1 is vulnerable: mozilla -- multiple vulnerabilities CVE: CVE-2014-1561 CVE: CVE-2014-1560 CVE: CVE-2014-1559 CVE: CVE-2014-1558 CVE: CVE-2014-1557 CVE: CVE-2014-1556 CVE: CVE-2014-1555 CVE: CVE-2014-1552 CVE: CVE-2014-1551 CVE: CVE-2014-1550 CVE: CVE-2014-1549 CVE: CVE-2014-1548 CVE: CVE-2014-1547 CVE: CVE-2014-1544 WWW: http://portaudit.FreeBSD.org/978b0f76-122d-11e4-afe3-bc5ff4fb5e7b.html 1 problem(s) in the installed packages found. => Please update your ports tree and try again. => Note: Vulnerable ports are marked as such even if there is no update available. => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes' *** [check-vulnerable] Error code 1 Stop in /common/ports/www/firefox. *** [build] Error code 1 Stop in /common/ports/www/firefox. ===>>> make build failed for www/firefox ===>>> Aborting update As a reality check, I did take a quick look at <http://docs.freebsd.org/mail/current/svn-ports-head.html> to see if, perchance, there were commits to www/firefox to address those reported vulnerabilities since r362876, but the most recent commit I see there now is r362887 -- and none of the commits since r362876 is about/for www/firefox (or anything related, AFAICT). So I'm left wondering how this is actually useful: I'm left with a copy of firefox installed (more or less) that has known vulnerabilities and is broken (since it's still linked against a library that no longer exists). At least I was able to use a copy of firefox on a machine I haven't started to upgrade yet (so I could refer to the cited Web page(s)). Since I'm disinclined to globally disable all vulnerability checking, I'm proceeding with updates to the ports that portmaster hadn't yet got to first, before (temporarily) disabling the checks so I can have a working graphical Web browser with which I'm familiar again. Which reminds me: the cited directive re. the libevent change (in UPDATING): "pkg delete libevent" also deleted sysutils/tmux, so the subsequent "portmaster -ad" had no clue that tmux was supposed to be rebuilt. I was able to re-install it manually, but I mention this in case it helps someone else. (Ugh. It appears that the "portmaster -aF" that I ran earlier this morning didn't actually fetch the firefox-30.0.source.tar.bz2... wait up; that should have been there already. Making me wait while that's re-fetched is ... not good: I'm trying to get this laptop updated before I go in to work this morning.... OK; I found a local copy on another machine.) Peace, david -- David H. Wolfskill da...@catwhisker.org Taliban: Evil cowards with guns afraid of truth from a 14-year old girl. See http://www.catwhisker.org/~david/publickey.gpg for my public key.
pgp32Bp0lXhqQ.pgp
Description: PGP signature
