Re: portaudit and automake14

[David Newman]

On 8/28/12 11:53 AM, Bryan Drewery wrote:
> On 8/28/2012 1:47 PM, David Newman wrote:
>> 1. On a 8.0-RELEASE system, I'm having a problem with the automake14
>> port, where the portaudit port reports this vulnerability:
>>
>> http://portaudit.freebsd.org/10f38033-e006-11e1-9304-.html
>>
>> Refreshing the ports collection with 'portsnap fetch extract' and then
>> running 'portmaster automake14' returned the same error as before:
>>
>> automake -- Insecure 'distcheck' recipe granted world-writable distdir
>>
>> I then tried to do 'make deinstall && make reinstall' for automake14,
>> but that just deinstalled the port. The system returns the same error as
>> above when trying to reinstall.
>>
>> How to resolve?
>>
>> 2. This system also has a couple of other automake ports installed:
>>
>> automake-1.12.3
>> automake-wrapper-20101119
>>
>> How to determine if these are necessary in addition to automake14?
> 
> 
> automake14 is not vulnerable to this issue. The vuxml was recently
> updated to show that it only affects 1.5 and up.
> 
> http://www.vuxml.org/freebsd/36235c38-e0a8-11e1-9f4d-002354ed89bc.html
> 
> Not sure when portaudit updates, but in the meantime you can ignore that
> error:
> 
> env DISABLE_VULNERABILITIES=1 portmaster ...
> 
> You can also try deinstalling automake14 as it may not even be required
> on your system and the newer 1.12 may automatically be used instead.
> 
> To be clear, automake14 is super old. automake-1.12.3 is current.

Thanks much for this. As noted, I've de-installed automake14 and haven't
noticed any problems as a result. It can be reinstalled using that env
flag you mentioned, but if it's not needed, then that's one less thing
to go wrong. . .

Thanks again.

dn


> 
> 
>>
>> Thanks
>>
>> dn
>>
> 
> Bryan
> 
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
> 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: portaudit and automake14

[Bryan Drewery]

On 8/28/2012 1:47 PM, David Newman wrote:
> 1. On a 8.0-RELEASE system, I'm having a problem with the automake14
> port, where the portaudit port reports this vulnerability:
> 
> http://portaudit.freebsd.org/10f38033-e006-11e1-9304-.html
> 
> Refreshing the ports collection with 'portsnap fetch extract' and then
> running 'portmaster automake14' returned the same error as before:
> 
> automake -- Insecure 'distcheck' recipe granted world-writable distdir
> 
> I then tried to do 'make deinstall && make reinstall' for automake14,
> but that just deinstalled the port. The system returns the same error as
> above when trying to reinstall.
> 
> How to resolve?
> 
> 2. This system also has a couple of other automake ports installed:
> 
> automake-1.12.3
> automake-wrapper-20101119
> 
> How to determine if these are necessary in addition to automake14?


automake14 is not vulnerable to this issue. The vuxml was recently
updated to show that it only affects 1.5 and up.

http://www.vuxml.org/freebsd/36235c38-e0a8-11e1-9f4d-002354ed89bc.html

Not sure when portaudit updates, but in the meantime you can ignore that
error:

env DISABLE_VULNERABILITIES=1 portmaster ...

You can also try deinstalling automake14 as it may not even be required
on your system and the newer 1.12 may automatically be used instead.

To be clear, automake14 is super old. automake-1.12.3 is current.


> 
> Thanks
> 
> dn
> 

Bryan

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: portaudit php vulnerabilities

[Jerry]

On Fri, 25 Dec 2009 23:45:39 -0800
Nerius Landys  replied:

>> For the past week or so, portaudit has been warning me that the
>> installed version of php on my system (php5-5.2.11_1) has known
>> vulnerabilties. Fair enough. However, I've not seen a fix in the
>> ports tree since then. Is my only option to deinstall php until this
>> gets fixed?
>
>Hi.  I've been experiencing the same problem.  Apparently 5.2.12 is
>not in the ports yet, but probably will be soon.
>
>If found it necessary to do some port-related commands even though
>5.2.11 is currently blacklisted by portaudit.  You can use
>DISABLE_VULNERABILITIES in your commands as outlined here until there
>is an updated port:

Same problem here. I was going to update to FreeBSD-8 this weekend;
however, I thought better of it. As sure as death and taxes, I know
that as soon as I install FBSD-8 with PHP the new version of PHP will
become available. I'll install it and something will break. I'll just
wait until this problem is resolved.

-- 
Jerry
ges...@yahoo.com

|===
|===
|===
|===
|

Genuine happiness is when a wife sees a double chin on her husband's
old girl friend.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: portaudit php vulnerabilities

[Nerius Landys]

> For the past week or so, portaudit has been warning me that the
> installed version of php on my system (php5-5.2.11_1) has known
> vulnerabilties. Fair enough. However, I've not seen a fix in the ports
> tree since then. Is my only option to deinstall php until this gets
> fixed?

Hi.  I've been experiencing the same problem.  Apparently 5.2.12 is
not in the ports yet, but probably will be soon.

If found it necessary to do some port-related commands even though
5.2.11 is currently blacklisted by portaudit.  You can use
DISABLE_VULNERABILITIES in your commands as outlined here until there
is an updated port:

http://www.ivorde.ro/FreeBSD_force_port_installation_upgrade_even_though_portaudit_reports_vulnerability_for_it-64.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Portaudit strange behavior.

[Arek Czereszewski]

Hi again,

Today portaudit works fine with

${portaudit_sites="http://portaudit.FreeBSD.org/"}

Now I need to change this option in portaudit on all servers.

Regards
Arek

-- 
Arek Czereszewski
arek (at) wup-katowice (dot) pl
"UNIX allows me to work smarter, not harder."
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Portaudit strange behavior.

[mfv]

On Wednesday, 1 July 2009 02:02:47 Arek Czereszewski wrote:
> Hi,
>
> On all my servers I have portaudit version 0.5.13
> If I try update audit database (by hand or from periodic script)
> I have:
>
> # portaudit -Fd
> auditfile.tbz 100% of   53 kB   39 kBps
> portaudit: Database too old.
> Old database restored.
> portaudit: Download failed.
> #
>
> When I change
>
> ${portaudit_sites="http://portaudit.FreeBSD.org/"}
> to
> ${portaudit_sites="http://www.FreeBSD.org/ports/"}
> Like was in 0.5.12
> # portaudit -Fd
> auditfile.tbz 100% of   56 kB   34 kBps
> New database installed.
> Database created: Wed Jul  1 07:40:02 CEST 2009
> Update work fine.
>
> Anyone have behavior like I have?
>
> regards
> Arek

Hello Arek,

I've had the same problem for the last few days.  Thanks for a temporary 
solution.

Marek

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Portaudit strange behavior.

[dan]

On Wednesday 01 July 2009 08:02:47 Arek Czereszewski wrote:
> Hi,
>
> On all my servers I have portaudit version 0.5.13
> If I try update audit database (by hand or from periodic script)
> I have:
>
> # portaudit -Fd
> auditfile.tbz 100% of   53 kB   39 kBps
> portaudit: Database too old.
> Old database restored.
> portaudit: Download failed.
> #
>
> When I change
>
> ${portaudit_sites="http://portaudit.FreeBSD.org/"}
> to
> ${portaudit_sites="http://www.FreeBSD.org/ports/"}
> Like was in 0.5.12
> # portaudit -Fd
> auditfile.tbz 100% of   56 kB   34 kBps
> New database installed.
> Database created: Wed Jul  1 07:40:02 CEST 2009
> Update work fine.
>
> Anyone have behavior like I have?
>
> regards
> Arek
Oups ! I experienced the same behaviour this morning, but after that I did not 
make any change. Waiting for news,

d

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: portaudit and periodic

[kareemy]

I believe I am incorrect. I checked further and it looks like
$daily_status_security_portaudit_enable defaults to YES in the
portaudit script so it should run fine. Everything seems to be
working. I don't know why I thought it wasn't running before. Sorry
for the trouble. Thanks.

On Sat, Dec 20, 2008 at 5:42 PM, kareemy  wrote:
> I am using FreeBSD 7-RELEASE. I installed portaudit. The FreeBSD
> handbook stated that during the install process, the configuration
> files for periodic will be updated, permitting portaudit output in the
> daily security runs.
>
> portaudit was not run in my daily security runs. There is no mention
> of portaudit in /etc/periodic.conf or /etc/defaults/periodic.conf. I
> read /usr/local/etc/periodic/security/410.portaudit and found that it
> references 3 variables:
> daily_status_security_portaudit_enable
> daily_status_security_portaudit_expiry
> daily_status_security_portaudit_user
>
> I can't find those variables defined anywhere in any periodic.conf
> file. I understand I can just manually add
> daily_status_security_portaudit_enable="YES" to my periodic.conf and
> be good to go. But I am wondering about the discrepancy with the
> Freebsd handbook.
>
> Is the FreeBSD handbook out of date or incorrect in this regard or is
> there another reason why portaudit didn't update the periodic config
> files?
>
> Thanks,
> Kareem Dana
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: portaudit -solved

[Richard KHOO Guan Chen]

Thank you Sahil Tandon

I have solved the problem. My ISP uses proxy  for http (I think) as I have 
closed off port 80 and opened port 8080, and that has got me to the web 
with no problem. I have also been able to use ports installation with my 
ipf firewall setup, so I could not understand why portaudit command 
failed. I have now opened up port 80 and get the thing working.


Your message got me thinking in this direction as you confiremed that the 
file is from http://www.FreeBSD.org/ports.


Once again thanks and apologies for the late reply.


On Mon, 8 Dec 2008, Sahil Tandon wrote:


Richard KHOO Guan Chen wrote:


I have recently installed 6.4 release and tried to do a portausidt -F.
No go reply was that auditfile.tbz unavailable.


By default, portaudit fetches the database from www.FreeBSD.org/ports.
What is the output of the following commands on your machine?

% wget http://www.FreeBSD.org/ports/auditfile.tbz
% fetch -1amp http://www.FreeBSD.org/ports/auditfile.tbz

Have you created or modified /usr/local/etc/portaudit.conf?

--
Sahil Tandon <[EMAIL PROTECTED]>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit

[Sahil Tandon]

Richard KHOO Guan Chen wrote:

> I have recently installed 6.4 release and tried to do a portausidt -F.
> No go reply was that auditfile.tbz unavailable.

By default, portaudit fetches the database from www.FreeBSD.org/ports.
What is the output of the following commands on your machine?

% wget http://www.FreeBSD.org/ports/auditfile.tbz
% fetch -1amp http://www.FreeBSD.org/ports/auditfile.tbz

Have you created or modified /usr/local/etc/portaudit.conf?

-- 
Sahil Tandon <[EMAIL PROTECTED]>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit in periodic [SOLVED]

[Andrea Venturoli]

Cristian KLEIN ha scritto:


But have you tried running these commands from the shell? It is very important
to check the scripts with the above SHELL & PATH environment. If the above works
from the shell, I'm pretty much out of ideas too.


Yes, and it did work.

In the end I realized the problem was that I have to use a proxy: from 
the shell portaudit picked up HTTP_PROXY and FTP_PROXY from the 
environment, while it didn't when launched from cron.


Obiously setting up portaudit.conf was the solution.

 bye & Thanks
av.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit in periodic

[Cristian KLEIN]

Andrea Venturoli wrote:
> Cristian KLEIN ha scritto:
> 
>> I used to have problem with cron scripts, because cron uses another
>> PATH then
>> what the script gets if it's run from the shell. Could you try the
>> following
>> (assuming sh):
>>
>> export SHELL=/bin/sh
>> export PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
>> export HOME=/var/log
>> periodic daily
>>
>>
> 
> Sorry if I reply this late: I tried something similar in crontab and let
> it test for a while, but nothing changed.
> I'm really out of ideas here. :-(

But have you tried running these commands from the shell? It is very important
to check the scripts with the above SHELL & PATH environment. If the above works
from the shell, I'm pretty much out of ideas too.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit in periodic

[Andrea Venturoli]

Cristian KLEIN ha scritto:


I used to have problem with cron scripts, because cron uses another PATH then
what the script gets if it's run from the shell. Could you try the following
(assuming sh):

export SHELL=/bin/sh
export PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
export HOME=/var/log
periodic daily




Sorry if I reply this late: I tried something similar in crontab and let 
it test for a while, but nothing changed.

I'm really out of ideas here. :-(

 bye & Thanks
av.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit in periodic

[RW]

On Mon, 26 Nov 2007 12:45:56 +0200
Cristian KLEIN <[EMAIL PROTECTED]> wrote:

> Andrea Venturoli wrote:

> > On one box, however, portaudit's db won't update automatically. The
> > security reports will mention no vulnerability, even when I know
> > they are there.
> > Running "periodic daily" from a shell does it all for good, so that
> > for a few days I'll see the correct warnings.
> 
> I used to have problem with cron scripts, because cron uses another
> PATH then what the script gets if it's run from the shell. 

That shouldn't be relevant, the update should be done as a side-effect
of the daily security run, and the path to portaudit is hard-coded into
the periodic script.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit in periodic

[Cristian KLEIN]

Andrea Venturoli wrote:
> Hello.
> I'm running a dozen boxes (most being 6.2) with portaudit installed and
> I usually get a port vulnerability report in the daily security run.
> 
> On one box, however, portaudit's db won't update automatically. The
> security reports will mention no vulnerability, even when I know they
> are there.
> Running "periodic daily" from a shell does it all for good, so that for
> a few days I'll see the correct warnings.

I used to have problem with cron scripts, because cron uses another PATH then
what the script gets if it's run from the shell. Could you try the following
(assuming sh):

export SHELL=/bin/sh
export PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
export HOME=/var/log
periodic daily

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit in periodic

[Andrea Venturoli]

RW ha scritto:


Have you checked its clock?


Yep.

# date
Fri Nov 23 18:13:17 CET 2007

Seems fine to me.

Also, it's running ntp, although I'd excpect something better from it.

 bye & Thanks
av.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit in periodic

[RW]

On Fri, 23 Nov 2007 10:28:31 +0100
Andrea Venturoli <[EMAIL PROTECTED]> wrote:

> Hello.
> I'm running a dozen boxes (most being 6.2) with portaudit installed
> and I usually get a port vulnerability report in the daily security
> run.
> 
> On one box, however, portaudit's db won't update automatically. The 
> security reports will mention no vulnerability, even when I know they 
> are there.
> Running "periodic daily" from a shell does it all for good, so that
> for a few days I'll see the correct warnings.

Have you checked its clock?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit report vs. portupgrade report

[Gerard Seibert]

Jim Angstadt wrote:

> Hi All,
> 
> I'm new to FreeBSD.
> 
> The daily security report lists 9 problems with
> installed packages.  
> 
> In an earlier message I was advised to use the ports
> system to avoid dealing with package dependencies. 
> Thanks to all for that advice.
> 
> So I have done the cvsup, buildworld, buildkernel,
> .., process and completed without errors.  (Thanks to
> all who have posted helpful messages on this subject.)
> 
> Running "portaudit -Fa" advised me that the same 9
> packages were still a problem.
> 
> Running "portupgrade -n firefox" advised me:
> 
>   ** No need to upgrade 'firefox-1.0.7_1,1' (>=
> firefox-1.0.7_1,1).
> 
> Same thing with mozilla:
> 
>   ** No need to upgrade 'mozilla-1.7.12,2' (>=
> mozilla-1.7.12,2).
> 
> I did not check the other 7 packages in question.
> 
> On the surface, to me, it seems as if these two tools
> are giving me opposite information.
> 
> So, ... what is going on here?  What should I do to
> get right.
> 
> Please see below for the actual console traffic,
> slightly snipped.
> 
> 
> # --- actual console traffic ---
> 
> tiny# uname -a
> FreeBSD tiny.brc.localnet 6.0-RELEASE-p7 FreeBSD
> 6.0-RELEASE-p7 #0: Wed May 17 16:26:53 PDT 2006
> [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC 
> i386
> 
> 
> tiny# portaudit -Fa
> auditfile.tbz 100% of 
>  35 kB  154 kBps
> New database installed.
> Affected package: firefox-1.0.7_1,1
> Type of problem: mozilla -- multiple vulnerabilities.
> Reference:
>  00c6ec775d9.html>
> 
> Affected package: mozilla-1.7.12,2
> Type of problem: mozilla -- multiple vulnerabilities.
> Reference:
>  00c6ec775d9.html>
> 
> [ 7 other packages snipped ]
> 
> 9 problem(s) in your installed packages found.
> 
> You are advised to update or deinstall the affected
> package(s) immediately.
> 
> 
> tiny# portupgrade -n firefox
> --->  Session started at: Wed, 17 May 2006 18:55:20
> -0700
> [Rebuilding the pkgdb  in
> /var/db/pkg ... - 241 packages found (-0 +241)
> 
> done]
> [Updating the portsdb  in
> /usr/ports ... - 13306 port entries found
> 1000.2000.3000.4000.5000.6000.7000.8000.9000.1.11000.12000.13000...
>  done]
> ** No need to upgrade 'firefox-1.0.7_1,1' (>=
> firefox-1.0.7_1,1). (specify -f to force)
> --->  Listing the results (+:done / -:ignored /
> *:skipped / !:failed)
> - www/firefox (firefox-1.0.7_1,1)
> --->  Packages processed: 0 done, 1 ignored, 0 skipped
> and 0 failed
> --->  Session ended at: Wed, 17 May 2006 18:57:17
> -0700 (consumed 00:01:57)
> 
> 
> tiny# portupgrade -n mozilla
> --->  Session started at: Wed, 17 May 2006 18:58:49
> -0700
> ** No need to upgrade 'mozilla-1.7.12,2' (>=
> mozilla-1.7.12,2). (specify -f to force)
> --->  Listing the results (+:done / -:ignored /
> *:skipped / !:failed)
> - www/mozilla (mozilla-1.7.12,2)
> --->  Packages processed: 0 done, 1 ignored, 0 skipped
> and 0 failed
> --->  Session ended at: Wed, 17 May 2006 18:58:53
> -0700 (consumed 00:00:03)
> 
> 
> # - end of console traffic -

Portaudit is reporting problems with certain ports. You need to update
your ports tree, might I suggest portsnap, before you can correct the
problem. Even then, a new version of the port that corrects the problem
may not be available. If it is not, keep trying every day or so and it
will usually be make available to you. Obviously you need to update your
ports tree on a regular schedule. You might want to investigate using
CRON to automate this procedure for you.

Also, you might want to give portmanager a look. Personally, I prefer it
to portupgrade. Strictly a personal choice though. I just think it
handles dependencies in a far superior manner.


-- 
Gerard Seibert
[EMAIL PROTECTED]


Ruth rode upon my motor bike
directly in back of me.
I hit a bump at 95
and rode on Ruthlessly.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit reports: how to exclude a specific vulnerability

[Daniel Pittman]

"Michael C. Shultz" <[EMAIL PROTECTED]> writes:
> On Sunday 30 October 2005 22:45, you wrote:
G'day.

[...]

>> I can't work out how to tell portaudit to stop bothering me about 
>> [a single] particular vulnerability, though.
>>
>> Can I ask it to exclude a vulnerability, or (ever better) a
>> vulnerability/package combination, from reports?
>
> I think this will do it, put it in /etc/make.conf
>
> .if ${.CURDIR:M*/security/p5-Crypt-OpenPGP}
> DISABLE_VULNERABILITIES="YES"
> .endif

Hrm.  That doesn't exclude it from the command line tool, and a quick
check of the periodic/security file tells me that it won't work in the
periodic runs either.

Unfortunately, portaudit only seems to support the 'portaudit_fixed'
system for marking a problem in the core OS fixed, not for individual
versions.

More searching also shows a comment from the author(s) to the effect
that this would be easy to extend to non-core packages, but that has not
been done yet.

Ah, well.  Either a local patch, or I just cope with the problem, I
guess.
Daniel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit reports: how to exclude a specific vulnerability

[Michael C. Shultz]

On Sunday 30 October 2005 22:45, you wrote:
> G'day.  I am relatively new to FreeBSD, but failed to find an answer to
> this question in the handbook, manual pages, or other references about
> portaudit:
>
> At the moment, portaudit is reporting one vulnerability on my system,
> with the 'p5-Crypt-OpenPGP' package.
>
> There isn't, apparently, a release of this package available that
> resolves the issue.
>
> I have checked the advisory and I am quite happy that the specific
> problem is not going to hurt here, so I don't mind that the
> theoretically vulnerable version is installed.[1]
>
> I can't work out how to tell portaudit to stop bothering me about this
> particular vulnerability, though.
>
> Can I ask it to exclude a vulnerability, or (ever better) a
> vulnerability/package combination, from reports?
>
I think this will do it, put it in /etc/make.conf

.if ${.CURDIR:M*/security/p5-Crypt-OpenPGP}
DISABLE_VULNERABILITIES="YES"
.endif

-Mike

>
> I specifically /don't/ want to exclude the package from auditing,
> though, since I want to know if another security issue turns up for it.
>
> Thanks,
>Daniel
>
> Footnotes:
> [1]  The specific issue is a cryptographic weakness that needs a
>  specific and particularly unlikely bit of code written by us before
>  it actually does anything.  Not, as they say, going to happen.
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit question.....

[Alex Zbyslaw]

Wright Jim Contractor 14MDSS/SGSI wrote:


I guess my question is this.

How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest
version??

Or am I missing the concept altogether ?

( I understand the process of downloading this latest version and installing
it manually. Just trying to understand and use the FreeBSD tools )

 

IMHO, the messages from portaudit are misleadingly worded.  Portaudit is 
correct that some of the software you installed has *some kind* of 
security vulnerability.  But everything else it says is potentially 
misleading.


1) There may be no upgrade available yet.  For there to be an upgrade 
the original code has to be fixed; in your example by the Mozilla team.  
Then, whoever is maintaining the port has to go through the work of 
fixing the new code to work on FreeBSD.  For a few simple bug fixes, 
that may not be too hard, but it still has to be done. How long all this 
takes will vary from port to port.  Mozilla is generally quite quick, 
from my experience, but xloadimage hung around for ages, not long ago.


2) The advice that you should either upgrade or de-install in 
unnecessarily authoritarian and frightening.  De-installing may not be 
an option, and the actual bug may have zero affect on your environment.  
And the presence of a bug does not indicate the presence of an exploit.  
If you are worried about a particular package then follow up the links 
portaudit provides and make up your mind what to do.



However, that fact that you have so many packages reporting problems 
says that either you are doing something wrong or not checking often enough.


1) cvsup your ports tree
2) either make fetchindex in /usr/ports and run portsdb -u, or run 
portsdb -Uu (slower but more accurate)

3) run pkg_version -L= to see what needs upgrading
4) use portupgrade to upgrade on a schedule that suits.  That might be 
daily or monthly depending on you environment.  Remember to read 
/usr/port/UPDATING *before* doing any upgrades.



All of that except the upgrading can be automated safely to run at 3am, 
or any other quiet time you might have.

--Alex

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit question.....

[martinko]

Wright Jim Contractor 14MDSS/SGSI wrote:

To keep the story short:

 


I'm using version FreeBSD 5.4-RELEASE #6: Thu Aug 25 09:12:43 CDT 2005;
pasted from the dmesg.boot file.

To the best of my knowledge, I'm using CVSup, pkgdb -F, and portupgrade
commands correctly.

But, I'm pretty sure I'm still overlooking and/or leaving something out.

 


I just discovered the portaudit command and ran it against my system.

It comes up with 15 items that need to be upgraded or deinstalled.

For this question I'll use Mozilla.

The version it reports is Mozilla-1.7.7,2.

 


When I go to http://www.freebsd.org/ports/index.html
  and do a search for Mozilla, I
find that Mozilla-1.7.12,2 is the latest (stable) version.

 


I guess my question is this.

How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest
version??

Or am I missing the concept altogether ?

( I understand the process of downloading this latest version and installing
it manually. Just trying to understand and use the FreeBSD tools )

 


Thanks for any and all help,

Jim Wright

Columbus, Mississippi

28 Sep 2005



jim,

i recommend using portsnap instead of cvsup, especially if you update 
your ports tree often. then use portversion instead of pkg_version, it's 
much faster. and always and periodically run portaudit. you don't need 
your ports tree to be updated for portaudit to be effective, btw.


so based on what i said, here's a procedure to follow:

/usr/local/sbin/portsnap fetch
/usr/local/sbin/portsnap update
/usr/local/sbin/portversion -v -l "<"
/usr/local/sbin/portaudit -Fda

hope that helps.

regards,

martin

ps: regarding mozilla, if it's not packaged on freebsd's ftp server 
(that is pkg_add doesn't help), you've got to install it from ports 
(that is to compile it).


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit question.....

[K Anderson]

- Original Message - 
From: "Wright Jim Contractor 14MDSS/SGSI" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, September 28, 2005 1:07 PM
Subject: portaudit question.


> To keep the story short:
>
>
>
> I'm using version FreeBSD 5.4-RELEASE #6: Thu Aug 25 09:12:43 CDT 2005;
> pasted from the dmesg.boot file.
>
> To the best of my knowledge, I'm using CVSup, pkgdb -F, and portupgrade
> commands correctly.
>
> But, I'm pretty sure I'm still overlooking and/or leaving something out.
>
>
>
> I just discovered the portaudit command and ran it against my system.
>
> It comes up with 15 items that need to be upgraded or deinstalled.
>
> For this question I'll use Mozilla.
>
> The version it reports is Mozilla-1.7.7,2.
I'll take a stab at this one. Portaudit is a tool that takes your installed 
ports then goes out and finds any known vulnerabilities (man portaudit 
says --  portaudit -- system to check installed packages for known 
vulnerabilities.) In your example Mozilla. There are times that a vulnerable 
port does not have an update to it (pkg_version | grep "<") so all the 
updating you do may or may not make a difference. Keep your ports tree up to 
date and check with pkg_version | grep "<" to see if there are changes. One 
other thing to note, they give you a URL to the issue they are talking about 
so you could potentially find more information that may guide you to getting 
an update or what's involved in the issue.

Hope that helps. 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit question.....

[Gerard Seibert]

On Wed, 28 Sep 2005 15:07:40 -0500, Wright Jim Contractor 14MDSS/SGSI <[EMAIL 
PROTECTED]>
Subject: portaudit question.
Wrote these words of wisdom:

> To keep the story short:
> 
>  
> 
> I'm using version FreeBSD 5.4-RELEASE #6: Thu Aug 25 09:12:43 CDT 2005;
> pasted from the dmesg.boot file.
> 
> To the best of my knowledge, I'm using CVSup, pkgdb -F, and portupgrade
> commands correctly.
> 
> But, I'm pretty sure I'm still overlooking and/or leaving something out.
> 
>  
> 
> I just discovered the portaudit command and ran it against my system.
> 
> It comes up with 15 items that need to be upgraded or deinstalled.
> 
> For this question I'll use Mozilla.
> 
> The version it reports is Mozilla-1.7.7,2.
> 
>  
> 
> When I go to http://www.freebsd.org/ports/index.html
>   and do a search for Mozilla, I
> find that Mozilla-1.7.12,2 is the latest (stable) version.
> 
>  
> 
> I guess my question is this.
> 
> How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest
> version??
> 
> Or am I missing the concept altogether ?
> 
> ( I understand the process of downloading this latest version and installing
> it manually. Just trying to understand and use the FreeBSD tools )
> 
>  
> 
> Thanks for any and all help,
> 
> Jim Wright
> 
> Columbus, Mississippi
> 
> 28 Sep 2005


* REPLY SEPARATOR *
On 9/29/2005 4:29:46 PM, Gerard Seibert Replied:

Personally, I would first make sure you have a freshly updated ports
collection. Next, install 'portmanager' from the ports collection. Then
run it.

portmanager -u

This will take care of updating all of your out of date ports and their
dependencies.

-- 
Gerard Seibert
<[EMAIL PROTECTED]>

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit is being stubborn

[Chris]

Good news about the wget-devel I wasnt aware it was been updated
again, when this problem first occured both versions of wget were
affected.

It appears in nighly security logs so can get annoying after a while.

Chris

On 5/21/05, Thomas Hurst <[EMAIL PROTECTED]> wrote:
> * Tony Shadwick ([EMAIL PROTECTED]) wrote:
> 
> > I'd like to see it done, but I know just enough sh scripting to be
> > dangerous. ;)
> >
> > If it were perl I'd be all over it.   Any takers? :)
> 
> Well, the relevent bit is actually written in awk :)
> 
> The attached patch seems to do the trick.  Note portaudit_fixed is a
> regular expression, so if you want to list multiple entries, seperate
> them with |
> 
> --
> Thomas 'Freaky' Hurst
>http://hur.st/
> 
> 
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit: recommended packages can't be installed

[Svein Halvor Halvorsen]

* Robert S [2005-05-21 13:29 -]
>  Are fixes not necessarily made available when security vulnerabilities
>  are found?

No, fixes are not *necessarily* made available, although the most often 
are. As Kent pointed out, your specific problem should long be fixed. See 
the thread about portaudit and wget from just the other day, and you will 
realize that fixes are not necessarily being commited once a security flaw 
has been found.


>  Also -- is there a similar utility to portaudit and freebsd-update,
>  that can be used on the base operating system (not through ports)?

Portaudit will report security issues with the base system as well, based 
on the kern.osreldate sysctl. 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit is being stubborn

[Thomas Hurst]

* Tony Shadwick ([EMAIL PROTECTED]) wrote:

> I'd like to see it done, but I know just enough sh scripting to be 
> dangerous. ;)
> 
> If it were perl I'd be all over it.   Any takers? :)

Well, the relevent bit is actually written in awk :)

The attached patch seems to do the trick.  Note portaudit_fixed is a
regular expression, so if you want to list multiple entries, seperate
them with |

-- 
Thomas 'Freaky' Hurst
http://hur.st/
--- portaudit.old   Mon Sep  6 20:18:55 2004
+++ portaudit   Sat May 21 20:18:21 2005
@@ -136,8 +136,8 @@
BEGIN { vul=0; fixedre="'"$fixedre"'" }
/^(#|\$)/ { next }
$2 !~ /'"$opt_restrict"'/ { next }
+   { if (fixedre && $2 ~ fixedre) next }
$1 ~ /^FreeBSD[<=>!]/ {
-   if (fixedre && $2 ~ fixedre) next
if (!system("'"$pkg_version"' -T 
\"FreeBSD-'"$osversion"'\" \"" $1 "\"")) {
print_affected("FreeBSD-'"$osversion"'", \
"To disable this check add the uuid to 
\`portaudit_fixed'"'"' in /usr/local/etc/portaudit.conf")
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit: recommended packages can't be installed

[Kris Kennaway]

On Sat, May 21, 2005 at 01:29:11PM +, Robert S wrote:
> 8I've just started playing around with FreeBSD.  One of my main
> priorities of an OS is ease of upgrading.  If I run portaudit, I get a
> list of insecure packages (here is an excerpt from the output):
> 
> Affected package: firefox-1.0.3,1
> Type of problem: mozilla -- code execution via javascript: IconURL
> vulnerability.
> Reference: 
> 
> 
> Affected package: kdelibs-3.4.0_1
> Type of problem: kdelibs -- kimgio input validation errors.
> Reference: 
> 
> 
> 4 problem(s) in your installed packages found.
> 
> You are advised to update or deinstall the affected package(s) immediately.
> freebsd #
> 
> If I try to replace kdelibs with a binary package, or install it
> through ports (after doing a cvsup), I still get verion 3.4.0_1.
> 
> Are fixes not necessarily made available when security vulnerabilities
> are found?

Not instantly, of course..and in some cases they are not fixed for a
long time.  The third party software in the ports collection is
maintained to different standards depending on the project.  If you
have questions, you should contact those third party developers.

> Also -- is there a similar utility to portaudit and freebsd-update,
> that can be used on the base operating system (not through ports)?

freebsd update works on the base system.

Kris

pgprcKHQtnynm.pgp
Description: PGP signature

Re: portaudit is being stubborn

[Tony Shadwick]

I'd like to see it done, but I know just enough sh scripting to be 
dangerous. ;)


If it were perl I'd be all over it.   Any takers? :)

On Sat, 21 May 2005, Thomas Hurst wrote:


* Chris ([EMAIL PROTECTED]) wrote:


This annoys me as well, I expect portaudit to alert me when an update
is available to fix an exploit, but wget has no update so what is the
point of the warning, there also seems to be no way to shut it up.


portaudit_fixed is only for OS bugs (i.e. associated with
kern.osreldate).  portaudit is just a shell script; if it bothers you
that much, submit a patch to make it work for port problems too, or
send-pr :)

Looks like a case of moving the "if (fixedre && $2 ~ fixedre) next" line
outside the "$1 ~ /^FreeBSD[<=>!]/ {" section around line 140, or
something to that effect.

--
Thomas 'Freaky' Hurst
   http://hur.st/


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit: recommended packages can't be installed

[Kent Stewart]

On Saturday 21 May 2005 06:29 am, Robert S wrote:
> 8I've just started playing around with FreeBSD.  One of my main
> priorities of an OS is ease of upgrading.  If I run portaudit, I get
> a list of insecure packages (here is an excerpt from the output):
>
> Affected package: firefox-1.0.3,1
> Type of problem: mozilla -- code execution via javascript: IconURL
> vulnerability.
> Reference:
> b08fc24.html>
>
> Affected package: kdelibs-3.4.0_1
> Type of problem: kdelibs -- kimgio input validation errors.
> Reference:
> 20eed82.html>
>
> 4 problem(s) in your installed packages found.
>
> You are advised to update or deinstall the affected package(s)
> immediately. freebsd #
>
> If I try to replace kdelibs with a binary package, or install it
> through ports (after doing a cvsup), I still get verion 3.4.0_1.

You are doing something fundamentaly wrong. The 
latest /usr/ports/INDEX[-5] shows a kdelibs-3.4.0_4.  

How did you cvsup and did you update the INDEX files?

Kent
>
> Are fixes not necessarily made available when security
> vulnerabilities are found?
>
> Also -- is there a similar utility to portaudit and freebsd-update,
> that can be used on the base operating system (not through ports)?
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"

-- 
Kent Stewart
Richland, WA

http://users.owt.com/kstewart/index.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit is being stubborn

[Thomas Hurst]

* Chris ([EMAIL PROTECTED]) wrote:

> This annoys me as well, I expect portaudit to alert me when an update
> is available to fix an exploit, but wget has no update so what is the
> point of the warning, there also seems to be no way to shut it up.

portaudit_fixed is only for OS bugs (i.e. associated with
kern.osreldate).  portaudit is just a shell script; if it bothers you
that much, submit a patch to make it work for port problems too, or
send-pr :)

Looks like a case of moving the "if (fixedre && $2 ~ fixedre) next" line
outside the "$1 ~ /^FreeBSD[<=>!]/ {" section around line 140, or
something to that effect.

-- 
Thomas 'Freaky' Hurst
http://hur.st/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit is being stubborn

[Randy Pratt]

On Fri, 20 May 2005 13:43:29 +0100
Chris <[EMAIL PROTECTED]> wrote:

> This annoys me as well, I expect portaudit to alert me when an update
> is available to fix an exploit, but wget has no update so what is the
> point of the warning, there also seems to be no way to shut it up.
> 
> Chris
> 
> On 5/17/05, Tony Shadwick <[EMAIL PROTECTED]> wrote:
> > This is driving me nuts.  I just downloaded the latest portaudit database
> > and ran it on my system:
> > 
> > mx02# portaudit -ad
> > Database created: Tue May 17 13:40:02 CDT 2005
> > Affected package: wget-1.8.2_7
> > Type of problem: wget -- multiple vulnerabilities.
> > Reference:
> > 
> > 
> > 1 problem(s) in your installed packages found.
> > 
> > You are advised to update or deinstall the affected package(s)
> > immediately.
> > 
> > 
> > Okayso, that vulnerability isn't of much concern to me, but just to be
> > sure I'm current:
> > 
> > mx02# portversion ftp/wget
> > wget=
> > 
> > So life is good there, so I got back and add this to my
> > /usr/local/etc/portaudit.conf file:
> > 
> > # Make portaudit ignore wget vulnerability (no shell users here anyway)
> > portaudit_fixed="06f142ff-4df3-11d9-a9e7-0001020eed82"
> > 
> > 
> > I then re-ran portauditit gives me the same output. :(  I want to have
> > this cron'ed where I only get ouput when something that actually concerns
> > me comes up.  Is the portaudit_fixed variable no longer supported?
> > 
> > Tony

I think the ftp/wget-devel version has addressed the security
concerns.  I switched to ftp/wget-devel and portaudit doesn't show
any problems.  I've not noticed any differences in using that version.

I had a few other ports which depended on ftp/wget so I used
portupgrade to switch the dependencies to ftp/wget-devl:

portupgrade -o ftp/wget-devel ftp/wget

According to the portupgrade man page, all the dependencies on the
old package will be succeeded to the new package cleanly without
leaving inconsistencies.

There may be occasions when an update to a port which depended on
the old ftp/wget may cause pkgdb to complain about a stale dependency
on ftp/wget and you will need to repoint the dependency to the
ftp/wget-devel package.

If at some point the ftp/wget gets fixed, then it could be switched
back from ftp/wget-devel with portupgrade.

Randy

-- 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit is being stubborn

[Chris]

This annoys me as well, I expect portaudit to alert me when an update
is available to fix an exploit, but wget has no update so what is the
point of the warning, there also seems to be no way to shut it up.

Chris

On 5/17/05, Tony Shadwick <[EMAIL PROTECTED]> wrote:
> This is driving me nuts.  I just downloaded the latest portaudit database
> and ran it on my system:
> 
> mx02# portaudit -ad
> Database created: Tue May 17 13:40:02 CDT 2005
> Affected package: wget-1.8.2_7
> Type of problem: wget -- multiple vulnerabilities.
> Reference:
> 
> 
> 1 problem(s) in your installed packages found.
> 
> You are advised to update or deinstall the affected package(s)
> immediately.
> 
> 
> Okayso, that vulnerability isn't of much concern to me, but just to be
> sure I'm current:
> 
> mx02# portversion ftp/wget
> wget=
> 
> So life is good there, so I got back and add this to my
> /usr/local/etc/portaudit.conf file:
> 
> # Make portaudit ignore wget vulnerability (no shell users here anyway)
> portaudit_fixed="06f142ff-4df3-11d9-a9e7-0001020eed82"
> 
> 
> I then re-ran portauditit gives me the same output. :(  I want to have
> this cron'ed where I only get ouput when something that actually concerns
> me comes up.  Is the portaudit_fixed variable no longer supported?
> 
> Tony
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit question

[Kevin D. Kinsey, DaleCo, S.P.]

Thomas S. Crum - AAA Web Solution, Inc. wrote:
Is there something that I am not updating that portaudit would like to see
done or is this just a generic warning. Either way, please provide
examples of what I might due to have it stop complaining. I can find no
examples googling the portaudit "note" below.
 


# Here's what I did next.
man portaudit > no help
pkg_delete cvsup-without-gui-16.1h
cd /usr/ports/net/cvsup-without-gui
make install clean
/usr/local/sbin/portaudit -Fda > and get same output as above.
Best,
Thomas S. Crum
 

You've gotten some good answers.  Please note
that cvs(1), which is in the "base system", is not
the same thing as cvsup(1), which is a port/package.
They pretty much *do* the same thing (well, a
_similar_ thing), but they aren't the same, so
de/reinstalling cvsup-without-gui wouldn't make
any difference; it's not where the problem was
anyway :-)
Portaudit seems like it will be/is a great tool;
I would also recommend subscribing to the
security-advisories list --- it's not like it's high
volume,  , but you'd have seen this info
(re: CVS multiple vulnerability Advisory) almost
3 months ago
Kevin Kinsey
*Just thinking, if M$ had such a list,
would the backbone "drown"? >:-s\
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: portaudit question

[Petersen]

Thomas S. Crum wrote:
> Is there something that I am not updating that portaudit
> would like to see
> done or is this just a generic warning. Either way, please provide
> examples of what I might due to have it stop complaining. I
> can find no
> examples googling the portaudit "note" below.
> 
> # Here's what I did.
> 

> 
> # Here's what I get.
> 
> beta# /usr/local/sbin/portaudit -Fda
> auditfile.tbz 100% of   15 kB   33
> kBps New database installed.
> Database created: Fri Dec 10 08:40:32 EST 2004
> Affected package: FreeBSD-491000
^^

Portaudit is complaining that FreeBSD-491000 itself has a vulnerability.
Specifically within the cvs code as it tells you.

> Type of problem: multiple vulnerabilities in the cvs server code.
> Reference:
>  0-000347a4fa 7d.html> Note: To disable this check add the uuid to
> `portaudit_fixed' in /usr/local/etc/portaudit.conf 0 problem(s) in
> your installed packages found.  
> 

As you can patch the system cvs without bumping the kernel version
number, portupgrade tells you that you can disable the check for this
uuid in portaudit.conf. This of course assumes you actually have patched
the cvs code in the base system (see the multiple security advisories
issued on the cvs vulnerabilities for details on how to patch them
manually, or upgrade to a more recent version/patchlevel of the 4.x
tree).

Petersen

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit question

[Joshua Lokken]

On Fri, 10 Dec 2004 09:19:15 -0500, Thomas S. Crum - AAA Web Solution,
Inc. <[EMAIL PROTECTED]> wrote:
> Is there something that I am not updating that portaudit would like to see
> done or is this just a generic warning. Either way, please provide
> examples of what I might due to have it stop complaining.

[snip]

> Type of problem: multiple vulnerabilities in the cvs server code.
> Reference:
>  7d.html>
> Note: To disable this check add the uuid to `portaudit_fixed' in
> /usr/local/etc/portaudit.conf
> 0 problem(s) in your installed packages found.

I haven't used portaudit, but it appears from the message that
you can safely follow the instructions, which are to add the uuid
(I assume that means the long id number on the url) to the 
'portaudit-fixed' variable in /usr/local/etc/portaudit.conf  ;)
 
> # Here's what I did next.
> 
> man portaudit > no help
> pkg_delete cvsup-without-gui-16.1h
> cd /usr/ports/net/cvsup-without-gui
> make install clean
> /usr/local/sbin/portaudit -Fda > and get same output as above.

Which wouldn't help; there does not appear to be a problem with
cvsup your system, so reinstalling that wouldn't effect portaudit.
I suspect you were correct, that it's a 'generic' warning, and can
be worked around.  HTH,

-- 
Joshua Lokken
Open Source Advocate
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Portaudit question

[Chris]

Matthew Seaman wrote:
On Wed, Sep 08, 2004 at 10:01:23AM -0500, Chris wrote:
While running portaudit, I get the complaint;
Affected package: FreeBSD-502010
Type of problem: multiple vulnerabilities in the cvs server code.
Reference: 

Note: To disable this check add the uuid to `portaudit_fixed' in 
/usr/local/etc/portaudit.conf

Am I to assume this is only if you run a cvs server? OR -
does this relate to the SA's put out earlier this year about the src.

Did you read the referenced portaudit page or any of the links
supplied by it?  There are several vulnerabilities, most of which
affect the CVS server, but one fairly minor that affects the CVS
client.
The FreeBSD advisory SA-O4:07.cvs refers to a different problem:
http://www.vuxml.org/freebsd/0792e7a7-8e37-11d8-90d1-0020ed76ef5a.html
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc
As you can see, the VuXML entry you're getting warnings about is dated
a month after the security advisory:
http://www.vuxml.org/freebsd/d2102505-f03d-11d8-81b0-000347a4fa7d.html
However, the update given in the security advisory is to a version of
CVS unaffected by either vulnerability.  Update your system to the
latest patchlevel and the problem will be fixed.
This has been done, 5.2.1-RELEASE-p9
--
Best regards,
Chris
Working capital doesn't.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Portaudit question

[Matthew Seaman]

On Wed, Sep 08, 2004 at 10:01:23AM -0500, Chris wrote:
> While running portaudit, I get the complaint;
> 
> Affected package: FreeBSD-502010
> Type of problem: multiple vulnerabilities in the cvs server code.
> Reference: 
> 
> Note: To disable this check add the uuid to `portaudit_fixed' in 
> /usr/local/etc/portaudit.conf
> 
> Am I to assume this is only if you run a cvs server? OR -
> does this relate to the SA's put out earlier this year about the src.

Did you read the referenced portaudit page or any of the links
supplied by it?  There are several vulnerabilities, most of which
affect the CVS server, but one fairly minor that affects the CVS
client.

The FreeBSD advisory SA-O4:07.cvs refers to a different problem:

http://www.vuxml.org/freebsd/0792e7a7-8e37-11d8-90d1-0020ed76ef5a.html
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc

As you can see, the VuXML entry you're getting warnings about is dated
a month after the security advisory:

http://www.vuxml.org/freebsd/d2102505-f03d-11d8-81b0-000347a4fa7d.html

However, the update given in the security advisory is to a version of
CVS unaffected by either vulnerability.  Update your system to the
latest patchlevel and the problem will be fixed.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgpJcaR5lCWPz.pgp
Description: PGP signature

Re: portaudit

[Ion-Mihai Tetcu]

On Wed, 14 Apr 2004 12:30:58 -0600 (MDT)
RJ45 <[EMAIL PROTECTED]> wrote:

> 
> this is the problem:
> 
> fetch: ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/auditfile.tbz: 
> Syntax
> error, command unrecognized
> 
> I have my mailbox full of error like these over half gigs for each cron
> report and this is generating traffic 

See my other mail. Give what I asked for. I cannot guess what is
happening.

Give the output of:
# portaudit -Vd && env FETCH_CMD='fetch -vvvp' portaudit -F -d



> 
> thanks
> 
> Rick
> 

-- 
IOnut
Unregistered ;) FreeBSD "user"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit

[RJ45]

this is the problem:

fetch: ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/auditfile.tbz: 
Syntax
error, command unrecognized

I have my mailbox full of error like these over half gigs for each cron
report and this is generating traffic 

thanks

Rick


On Tue, 13 Apr 2004, Ion-Mihai Tetcu wrote:

> On Tue, 13 Apr 2004 14:04:04 -0600 (MDT)
> RJ45 <[EMAIL PROTECTED]> wrote:
> 
> > 
> > Hello,
> > I installed portaudit.
> > Since I installed it I noticed there are always ESTABLISHED connections to
> > some ftp servers:
> > 
> > tcp4   0 20  venus.51739freebsd.utcluj.r.ftp
> > ESTABLISHED
> > tcp4   0 20  venus.49718gort.ludd.ltu.se.ftp
> > ESTABLISHED
> > tcp4   0  6  venus.49706www.freebsd.cz.ftp
> > ESTABLISHED
> > tcp4   0  6  venus.49688gort.ludd.ltu.se.ftp
> > ESTABLISHED
> > tcp4   0 20  venus.49682ftp.jpix.ad.jp.ftp
> > ESTABLISHED
> > 
> > and I noticed I have a constant traffic rate on my ADSL link of about
> > 20 Kb/sec inbound and 20 Kb/sec outbound, always day and night.
> > is it normal?
> 
> No. Edit /usr/local/etc/portaudit.conf and add something like:
> FETCH_BEFORE_ARGS=-vvv
> 
> after that do a ps and kill -9 the fetchaudit (or portaudit) process.
> 
> Watch your daily mail and send the output and the content of
> portaudit.conf.
> 
> But I doubt the the output traffic is portaudit fault.
> 
> -- 
> IOnut
> Unregistered ;) FreeBSD "user"
> 
> 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit

[RJ45]

hi,
actually I have many fetchaudit daily script running from previous days:

root1310  0.0  0.1  1088  536  ??  I 6Apr04   0:00.02 /bin/sh
/usr/local/etc/periodic/daily/330.fetchaudit
root   68392  0.0  0.1  1088  536  ??  I 7Apr04   0:00.02 /bin/sh
/usr/local/etc/periodic/daily/330.fetchaudit
root   75805  0.0  0.1  1088  536  ??  IFri03AM   0:00.02 /bin/sh
/usr/local/etc/periodic/daily/330.fetchaudit
root   30120  0.0  0.1  1088  536  ??  ISat03AM   0:00.02 /bin/sh
/usr/local/etc/periodic/daily/330.fetchaudit
root   84915  0.0  0.1  1088  536  ??  ISun03AM   0:00.02 /bin/sh
/usr/local/etc/periodic/daily/330.fetchaudit

looks liek the traffic is due to this because I Stopped hte processes and
the traffic stopped as well...

thanks

Rick


On Tue, 13 Apr 2004, Ion-Mihai Tetcu wrote:

> On Tue, 13 Apr 2004 14:04:04 -0600 (MDT)
> RJ45 <[EMAIL PROTECTED]> wrote:
> 
> > 
> > Hello,
> > I installed portaudit.
> > Since I installed it I noticed there are always ESTABLISHED connections to
> > some ftp servers:
> > 
> > tcp4   0 20  venus.51739freebsd.utcluj.r.ftp
> > ESTABLISHED
> > tcp4   0 20  venus.49718gort.ludd.ltu.se.ftp
> > ESTABLISHED
> > tcp4   0  6  venus.49706www.freebsd.cz.ftp
> > ESTABLISHED
> > tcp4   0  6  venus.49688gort.ludd.ltu.se.ftp
> > ESTABLISHED
> > tcp4   0 20  venus.49682ftp.jpix.ad.jp.ftp
> > ESTABLISHED
> > 
> > and I noticed I have a constant traffic rate on my ADSL link of about
> > 20 Kb/sec inbound and 20 Kb/sec outbound, always day and night.
> > is it normal?
> 
> No. Edit /usr/local/etc/portaudit.conf and add something like:
> FETCH_BEFORE_ARGS=-vvv
> 
> after that do a ps and kill -9 the fetchaudit (or portaudit) process.
> 
> Watch your daily mail and send the output and the content of
> portaudit.conf.
> 
> But I doubt the the output traffic is portaudit fault.
> 
> -- 
> IOnut
> Unregistered ;) FreeBSD "user"
> 
> 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit

[Ion-Mihai Tetcu]

On Tue, 13 Apr 2004 14:04:04 -0600 (MDT)
RJ45 <[EMAIL PROTECTED]> wrote:

> 
> Hello,
> I installed portaudit.
> Since I installed it I noticed there are always ESTABLISHED connections to
> some ftp servers:
> 
> tcp4   0 20  venus.51739freebsd.utcluj.r.ftp
> ESTABLISHED
> tcp4   0 20  venus.49718gort.ludd.ltu.se.ftp
> ESTABLISHED
> tcp4   0  6  venus.49706www.freebsd.cz.ftp
> ESTABLISHED
> tcp4   0  6  venus.49688gort.ludd.ltu.se.ftp
> ESTABLISHED
> tcp4   0 20  venus.49682ftp.jpix.ad.jp.ftp
> ESTABLISHED
> 
> and I noticed I have a constant traffic rate on my ADSL link of about
> 20 Kb/sec inbound and 20 Kb/sec outbound, always day and night.
> is it normal?

No. Edit /usr/local/etc/portaudit.conf and add something like:
FETCH_BEFORE_ARGS=-vvv

after that do a ps and kill -9 the fetchaudit (or portaudit) process.

Watch your daily mail and send the output and the content of
portaudit.conf.

But I doubt the the output traffic is portaudit fault.

-- 
IOnut
Unregistered ;) FreeBSD "user"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"