pkg repositories out of alignment (was: Re: bash velnerability)

[Paul Hoffman]

Just a note that the pkg repo for 10 seems to be far advanced over that for 
9.3. That is, the bash fix appeared in the 10 repo yesterday (or earlier), but 
it still not in the 9.3 repo. Here's what I'm seeing on a 9.3 box right now:

# sudo pkg update
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
# sudo pkg audit
bash-4.3.24 is vulnerable:
bash -- remote code execution vulnerability
CVE: CVE-2014-7169
CVE: CVE-2014-6271
WWW: http://portaudit.FreeBSD.org/71ad81da-4414-11e4-a33e-3c970e169bc2.html

1 problem(s) in the installed packages found.
# sudo pkg upgrade bash
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
Checking integrity... done (0 conflicting)
Your packages are up to date.

I appreciate the speed that folks update the packages; I'm a bit distressed 
that 9.3 seems to be a second-class citizen for security fixes. (And I totally 
admit that I could be misreading the situation.)

--Paul Hoffman
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org

Re: pkg repositories out of alignment (was: Re: bash velnerability)

[Mark Felder]

On Fri, Sep 26, 2014, at 10:25, Paul Hoffman wrote:
 
 I appreciate the speed that folks update the packages; I'm a bit
 distressed that 9.3 seems to be a second-class citizen for security
 fixes. (And I totally admit that I could be misreading the situation.)
 

(speaking strictly as a consumer of the pkg repository)

I am not aware of any other packages with security vulnerabilities that
have been updated on the repository outside of the planned once-a-week
schedule. This means if the package set is built and published and
immediately thereafter a vulnerability comes out for www/chromium, don't
expect to see the update until next week.

There is a desire to solve this problem and it is not simple solution.
Keep in mind that the ports tree existed for 20 years now expecting
people to consume it from source, not from packages. I've witnessed the
ports team and ports-mgmt/pkg authors perform miracles over the last 2
years and they have further plans to modernize the architecture.

FYI, the repositories are built sequentially and I don't think there's a
preference of a certain release over another. They're working hard to
get these updated packages out the door as fast as possible.
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to freebsd-security-unsubscr...@freebsd.org