portaudit and automake14
1. On a 8.0-RELEASE system, I'm having a problem with the automake14 port, where the portaudit port reports this vulnerability: http://portaudit.freebsd.org/10f38033-e006-11e1-9304-.html Refreshing the ports collection with 'portsnap fetch extract' and then running 'portmaster automake14' returned the same error as before: automake -- Insecure 'distcheck' recipe granted world-writable distdir I then tried to do 'make deinstall make reinstall' for automake14, but that just deinstalled the port. The system returns the same error as above when trying to reinstall. How to resolve? 2. This system also has a couple of other automake ports installed: automake-1.12.3 automake-wrapper-20101119 How to determine if these are necessary in addition to automake14? Thanks dn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: portaudit and automake14
On 8/28/2012 1:47 PM, David Newman wrote: 1. On a 8.0-RELEASE system, I'm having a problem with the automake14 port, where the portaudit port reports this vulnerability: http://portaudit.freebsd.org/10f38033-e006-11e1-9304-.html Refreshing the ports collection with 'portsnap fetch extract' and then running 'portmaster automake14' returned the same error as before: automake -- Insecure 'distcheck' recipe granted world-writable distdir I then tried to do 'make deinstall make reinstall' for automake14, but that just deinstalled the port. The system returns the same error as above when trying to reinstall. How to resolve? 2. This system also has a couple of other automake ports installed: automake-1.12.3 automake-wrapper-20101119 How to determine if these are necessary in addition to automake14? automake14 is not vulnerable to this issue. The vuxml was recently updated to show that it only affects 1.5 and up. http://www.vuxml.org/freebsd/36235c38-e0a8-11e1-9f4d-002354ed89bc.html Not sure when portaudit updates, but in the meantime you can ignore that error: env DISABLE_VULNERABILITIES=1 portmaster ... You can also try deinstalling automake14 as it may not even be required on your system and the newer 1.12 may automatically be used instead. To be clear, automake14 is super old. automake-1.12.3 is current. Thanks dn Bryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: portaudit and automake14
On 8/28/12 11:53 AM, Bryan Drewery wrote: On 8/28/2012 1:47 PM, David Newman wrote: 1. On a 8.0-RELEASE system, I'm having a problem with the automake14 port, where the portaudit port reports this vulnerability: http://portaudit.freebsd.org/10f38033-e006-11e1-9304-.html Refreshing the ports collection with 'portsnap fetch extract' and then running 'portmaster automake14' returned the same error as before: automake -- Insecure 'distcheck' recipe granted world-writable distdir I then tried to do 'make deinstall make reinstall' for automake14, but that just deinstalled the port. The system returns the same error as above when trying to reinstall. How to resolve? 2. This system also has a couple of other automake ports installed: automake-1.12.3 automake-wrapper-20101119 How to determine if these are necessary in addition to automake14? automake14 is not vulnerable to this issue. The vuxml was recently updated to show that it only affects 1.5 and up. http://www.vuxml.org/freebsd/36235c38-e0a8-11e1-9f4d-002354ed89bc.html Not sure when portaudit updates, but in the meantime you can ignore that error: env DISABLE_VULNERABILITIES=1 portmaster ... You can also try deinstalling automake14 as it may not even be required on your system and the newer 1.12 may automatically be used instead. To be clear, automake14 is super old. automake-1.12.3 is current. Thanks much for this. As noted, I've de-installed automake14 and haven't noticed any problems as a result. It can be reinstalled using that env flag you mentioned, but if it's not needed, then that's one less thing to go wrong. . . Thanks again. dn Thanks dn Bryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problems with portaudit after update to 0.6.0
Hi folks, I'm facing problems after updating the portaudit to 0.6.0. This is happening on 2 server I own, both with FreeBSD 6.2. Check this out: /# portaudit -Fda/ /auditfile.tbz 100% of 75 kB 381 kBps/ /unknown option '-sha256'/ /options are/ /-c to output the digest with separating colons/ /-d to output debug info/ /-hexoutput as hex dump/ /-binary output in binary form/ /-sign filesign digest using private key in file/ /-verify fileverify a signature using public key in file/ /-prverify file verify a signature using private key in file/ /-keyform argkey file format (PEM or ENGINE)/ /-signature file signature to verify/ /-binary output in binary form/ /-engine e use engine e, possibly a hardware device./ /-md5 to use the md5 message digest algorithm (default)/ /-md4 to use the md4 message digest algorithm/ /-md2 to use the md2 message digest algorithm/ /-sha1 to use the sha1 message digest algorithm/ /-sha to use the sha message digest algorithm/ /-mdc2 to use the mdc2 message digest algorithm/ /-ripemd160 to use the ripemd160 message digest algorithm/ /portaudit: Database contains invalid signature./ /Old database restored./ /portaudit: Download failed./ This happens too when I try to update any other package. This is what I already tried to do to solve the problem: - portsnap fetch update / portupgrade on the portaudit folder in ports - portsnap fetch update / make deinstall / make install the package - make deinstall / portsnap fetch update / make install the package - portsnap fetch extract / make deinstall / make install the package - make deinstall / portsnap fetch extract / make install the package None of this solved the problem. Anybody else having the same issue, or some idea on how to solve it? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with portaudit after update to 0.6.0
El día 19 de marzo de 2012 08:14, Fábio Jr. fjuniorli...@gmail.com escribió: Hi folks, I'm facing problems after updating the portaudit to 0.6.0. This is happening on 2 server I own, both with FreeBSD 6.2. Check this out: /# portaudit -Fda/ /auditfile.tbz 100% of 75 kB 381 kBps/ /unknown option '-sha256'/ /options are/ /-c to output the digest with separating colons/ /-d to output debug info/ /-hex output as hex dump/ /-binary output in binary form/ /-sign file sign digest using private key in file/ /-verify file verify a signature using public key in file/ /-prverify file verify a signature using private key in file/ /-keyform arg key file format (PEM or ENGINE)/ /-signature file signature to verify/ /-binary output in binary form/ /-engine e use engine e, possibly a hardware device./ /-md5 to use the md5 message digest algorithm (default)/ /-md4 to use the md4 message digest algorithm/ /-md2 to use the md2 message digest algorithm/ /-sha1 to use the sha1 message digest algorithm/ /-sha to use the sha message digest algorithm/ /-mdc2 to use the mdc2 message digest algorithm/ /-ripemd160 to use the ripemd160 message digest algorithm/ /portaudit: Database contains invalid signature./ /Old database restored./ /portaudit: Download failed./ This happens too when I try to update any other package. This is what I already tried to do to solve the problem: - portsnap fetch update / portupgrade on the portaudit folder in ports - portsnap fetch update / make deinstall / make install the package - make deinstall / portsnap fetch update / make install the package - portsnap fetch extract / make deinstall / make install the package - make deinstall / portsnap fetch extract / make install the package None of this solved the problem. Anybody else having the same issue, or some idea on how to solve it? Try verbose mode. portaudit -Fv Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with portaudit after update to 0.6.0
On Mon, 19 Mar 2012 11:14:13 -0300 Fábio Jr. fjuniorli...@gmail.com wrote: Hi folks, I'm facing problems after updating the portaudit to 0.6.0. This is happening on 2 server I own, both with FreeBSD 6.2. Check this out: You obviously have missed that FreeBSD 6.x is no longer supported. RELENG_6's EOL was November 30, 2010: http://article.gmane.org/gmane.os.freebsd.security.announce/194 You should upgrade to 7.4 or 8.2 (soon 8.3). -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
portaudit report against web app since updated (by web app itself)
I originally installed WordPress as a port because it was convenient to way to make sure I had all the PHP dependencies. However, I've since updated WordPress internally a number of times, and am now getting portaudit advisories against the original port that was installed. I'd prefer not to get portaudit advisories in this situation. Any recommendations? Thanks, Dale - Transparency with Trust http://www.dalescott.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
portaudit: exim vulnerable but exim-mysql not??
Hi, I've noticed that servers runing exim version 4.74 are being flagged by portaudit as having this vulnerability: http://www.FreeBSD.org/ports/portaudit/36594c54-7be7-11e0-9838-0022156e8794.html But systems with the port exim-mysql are not. This has to be an oversight doesn't it? If yes, who would need to be informed of this? thanks Andy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: portaudit php vulnerabilities
On Fri, 25 Dec 2009 23:45:39 -0800 Nerius Landys nlan...@gmail.com replied: For the past week or so, portaudit has been warning me that the installed version of php on my system (php5-5.2.11_1) has known vulnerabilties. Fair enough. However, I've not seen a fix in the ports tree since then. Is my only option to deinstall php until this gets fixed? Hi. I've been experiencing the same problem. Apparently 5.2.12 is not in the ports yet, but probably will be soon. If found it necessary to do some port-related commands even though 5.2.11 is currently blacklisted by portaudit. You can use DISABLE_VULNERABILITIES in your commands as outlined here until there is an updated port: Same problem here. I was going to update to FreeBSD-8 this weekend; however, I thought better of it. As sure as death and taxes, I know that as soon as I install FBSD-8 with PHP the new version of PHP will become available. I'll install it and something will break. I'll just wait until this problem is resolved. -- Jerry ges...@yahoo.com |=== |=== |=== |=== | Genuine happiness is when a wife sees a double chin on her husband's old girl friend. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
portaudit php vulnerabilities
For the past week or so, portaudit has been warning me that the installed version of php on my system (php5-5.2.11_1) has known vulnerabilties. Fair enough. However, I've not seen a fix in the ports tree since then. Is my only option to deinstall php until this gets fixed? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: portaudit php vulnerabilities
For the past week or so, portaudit has been warning me that the installed version of php on my system (php5-5.2.11_1) has known vulnerabilties. Fair enough. However, I've not seen a fix in the ports tree since then. Is my only option to deinstall php until this gets fixed? Hi. I've been experiencing the same problem. Apparently 5.2.12 is not in the ports yet, but probably will be soon. If found it necessary to do some port-related commands even though 5.2.11 is currently blacklisted by portaudit. You can use DISABLE_VULNERABILITIES in your commands as outlined here until there is an updated port: http://www.ivorde.ro/FreeBSD_force_port_installation_upgrade_even_though_portaudit_reports_vulnerability_for_it-64.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Portaudit strange behavior.
Hi again,
Today portaudit works fine with
${portaudit_sites=http://portaudit.FreeBSD.org/}
Now I need to change this option in portaudit on all servers.
Regards
Arek
--
Arek Czereszewski
arek (at) wup-katowice (dot) pl
UNIX allows me to work smarter, not harder.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Portaudit strange behavior.
Hi,
On all my servers I have portaudit version 0.5.13
If I try update audit database (by hand or from periodic script)
I have:
# portaudit -Fd
auditfile.tbz 100% of 53 kB 39 kBps
portaudit: Database too old.
Old database restored.
portaudit: Download failed.
#
When I change
${portaudit_sites=http://portaudit.FreeBSD.org/}
to
${portaudit_sites=http://www.FreeBSD.org/ports/}
Like was in 0.5.12
# portaudit -Fd
auditfile.tbz 100% of 56 kB 34 kBps
New database installed.
Database created: Wed Jul 1 07:40:02 CEST 2009
Update work fine.
Anyone have behavior like I have?
regards
Arek
--
Arek Czereszewski
arek (at) wup-katowice (dot) pl
UNIX allows me to work smarter, not harder.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Portaudit strange behavior.
On Wednesday 01 July 2009 08:02:47 Arek Czereszewski wrote:
Hi,
On all my servers I have portaudit version 0.5.13
If I try update audit database (by hand or from periodic script)
I have:
# portaudit -Fd
auditfile.tbz 100% of 53 kB 39 kBps
portaudit: Database too old.
Old database restored.
portaudit: Download failed.
#
When I change
${portaudit_sites=http://portaudit.FreeBSD.org/}
to
${portaudit_sites=http://www.FreeBSD.org/ports/}
Like was in 0.5.12
# portaudit -Fd
auditfile.tbz 100% of 56 kB 34 kBps
New database installed.
Database created: Wed Jul 1 07:40:02 CEST 2009
Update work fine.
Anyone have behavior like I have?
regards
Arek
Oups ! I experienced the same behaviour this morning, but after that I did not
make any change. Waiting for news,
d
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Portaudit strange behavior.
On Wednesday, 1 July 2009 02:02:47 Arek Czereszewski wrote:
Hi,
On all my servers I have portaudit version 0.5.13
If I try update audit database (by hand or from periodic script)
I have:
# portaudit -Fd
auditfile.tbz 100% of 53 kB 39 kBps
portaudit: Database too old.
Old database restored.
portaudit: Download failed.
#
When I change
${portaudit_sites=http://portaudit.FreeBSD.org/}
to
${portaudit_sites=http://www.FreeBSD.org/ports/}
Like was in 0.5.12
# portaudit -Fd
auditfile.tbz 100% of 56 kB 34 kBps
New database installed.
Database created: Wed Jul 1 07:40:02 CEST 2009
Update work fine.
Anyone have behavior like I have?
regards
Arek
Hello Arek,
I've had the same problem for the last few days. Thanks for a temporary
solution.
Marek
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
portaudit and periodic
I am using FreeBSD 7-RELEASE. I installed portaudit. The FreeBSD handbook stated that during the install process, the configuration files for periodic will be updated, permitting portaudit output in the daily security runs. portaudit was not run in my daily security runs. There is no mention of portaudit in /etc/periodic.conf or /etc/defaults/periodic.conf. I read /usr/local/etc/periodic/security/410.portaudit and found that it references 3 variables: daily_status_security_portaudit_enable daily_status_security_portaudit_expiry daily_status_security_portaudit_user I can't find those variables defined anywhere in any periodic.conf file. I understand I can just manually add daily_status_security_portaudit_enable=YES to my periodic.conf and be good to go. But I am wondering about the discrepancy with the Freebsd handbook. Is the FreeBSD handbook out of date or incorrect in this regard or is there another reason why portaudit didn't update the periodic config files? Thanks, Kareem Dana ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: portaudit and periodic
I believe I am incorrect. I checked further and it looks like $daily_status_security_portaudit_enable defaults to YES in the portaudit script so it should run fine. Everything seems to be working. I don't know why I thought it wasn't running before. Sorry for the trouble. Thanks. On Sat, Dec 20, 2008 at 5:42 PM, kareemy kare...@gmail.com wrote: I am using FreeBSD 7-RELEASE. I installed portaudit. The FreeBSD handbook stated that during the install process, the configuration files for periodic will be updated, permitting portaudit output in the daily security runs. portaudit was not run in my daily security runs. There is no mention of portaudit in /etc/periodic.conf or /etc/defaults/periodic.conf. I read /usr/local/etc/periodic/security/410.portaudit and found that it references 3 variables: daily_status_security_portaudit_enable daily_status_security_portaudit_expiry daily_status_security_portaudit_user I can't find those variables defined anywhere in any periodic.conf file. I understand I can just manually add daily_status_security_portaudit_enable=YES to my periodic.conf and be good to go. But I am wondering about the discrepancy with the Freebsd handbook. Is the FreeBSD handbook out of date or incorrect in this regard or is there another reason why portaudit didn't update the periodic config files? Thanks, Kareem Dana ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: portaudit -solved
Thank you Sahil Tandon I have solved the problem. My ISP uses proxy for http (I think) as I have closed off port 80 and opened port 8080, and that has got me to the web with no problem. I have also been able to use ports installation with my ipf firewall setup, so I could not understand why portaudit command failed. I have now opened up port 80 and get the thing working. Your message got me thinking in this direction as you confiremed that the file is from http://www.FreeBSD.org/ports. Once again thanks and apologies for the late reply. On Mon, 8 Dec 2008, Sahil Tandon wrote: Richard KHOO Guan Chen wrote: I have recently installed 6.4 release and tried to do a portausidt -F. No go reply was that auditfile.tbz unavailable. By default, portaudit fetches the database from www.FreeBSD.org/ports. What is the output of the following commands on your machine? % wget http://www.FreeBSD.org/ports/auditfile.tbz % fetch -1amp http://www.FreeBSD.org/ports/auditfile.tbz Have you created or modified /usr/local/etc/portaudit.conf? -- Sahil Tandon [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Portaudit - auditfile.tbz failure of download.
Hello all, anyone having issues with portaudit download of the auditfile.tbz? mine seems to just stall. I'm using portaudit .0.5.2 with -Fda switches. Thanks Ezat ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit in periodic [SOLVED]
Cristian KLEIN ha scritto: But have you tried running these commands from the shell? It is very important to check the scripts with the above SHELL PATH environment. If the above works from the shell, I'm pretty much out of ideas too. Yes, and it did work. In the end I realized the problem was that I have to use a proxy: from the shell portaudit picked up HTTP_PROXY and FTP_PROXY from the environment, while it didn't when launched from cron. Obiously setting up portaudit.conf was the solution. bye Thanks av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit in periodic
Cristian KLEIN ha scritto: I used to have problem with cron scripts, because cron uses another PATH then what the script gets if it's run from the shell. Could you try the following (assuming sh): export SHELL=/bin/sh export PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin export HOME=/var/log periodic daily Sorry if I reply this late: I tried something similar in crontab and let it test for a while, but nothing changed. I'm really out of ideas here. :-( bye Thanks av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit in periodic
Andrea Venturoli wrote: Cristian KLEIN ha scritto: I used to have problem with cron scripts, because cron uses another PATH then what the script gets if it's run from the shell. Could you try the following (assuming sh): export SHELL=/bin/sh export PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin export HOME=/var/log periodic daily Sorry if I reply this late: I tried something similar in crontab and let it test for a while, but nothing changed. I'm really out of ideas here. :-( But have you tried running these commands from the shell? It is very important to check the scripts with the above SHELL PATH environment. If the above works from the shell, I'm pretty much out of ideas too. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit in periodic
Andrea Venturoli wrote: Hello. I'm running a dozen boxes (most being 6.2) with portaudit installed and I usually get a port vulnerability report in the daily security run. On one box, however, portaudit's db won't update automatically. The security reports will mention no vulnerability, even when I know they are there. Running periodic daily from a shell does it all for good, so that for a few days I'll see the correct warnings. I used to have problem with cron scripts, because cron uses another PATH then what the script gets if it's run from the shell. Could you try the following (assuming sh): export SHELL=/bin/sh export PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin export HOME=/var/log periodic daily ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit in periodic
On Mon, 26 Nov 2007 12:45:56 +0200 Cristian KLEIN [EMAIL PROTECTED] wrote: Andrea Venturoli wrote: On one box, however, portaudit's db won't update automatically. The security reports will mention no vulnerability, even when I know they are there. Running periodic daily from a shell does it all for good, so that for a few days I'll see the correct warnings. I used to have problem with cron scripts, because cron uses another PATH then what the script gets if it's run from the shell. That shouldn't be relevant, the update should be done as a side-effect of the daily security run, and the path to portaudit is hard-coded into the periodic script. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit in periodic
RW ha scritto: Have you checked its clock? Yep. # date Fri Nov 23 18:13:17 CET 2007 Seems fine to me. Also, it's running ntp, although I'd excpect something better from it. bye Thanks av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit in periodic
On Fri, 23 Nov 2007 10:28:31 +0100 Andrea Venturoli [EMAIL PROTECTED] wrote: Hello. I'm running a dozen boxes (most being 6.2) with portaudit installed and I usually get a port vulnerability report in the daily security run. On one box, however, portaudit's db won't update automatically. The security reports will mention no vulnerability, even when I know they are there. Running periodic daily from a shell does it all for good, so that for a few days I'll see the correct warnings. Have you checked its clock? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit in periodic
Hello. I'm running a dozen boxes (most being 6.2) with portaudit installed and I usually get a port vulnerability report in the daily security run. On one box, however, portaudit's db won't update automatically. The security reports will mention no vulnerability, even when I know they are there. Running periodic daily from a shell does it all for good, so that for a few days I'll see the correct warnings. However, the database will then be stuck at that level, and won't be upgraded again until I either manually rerun the previous command or run portaudit -F. I looked over my config files, but could not guess what might be wrong. Any hint? bye Thanks av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit problem
Hi All i am trying to run portaudit -F to fetch new database on FreeBSD 6.1-RELEASE but i cannot fetch the new database and it gives me [EMAIL PROTECTED]:/var/db/portaudit] # portaudit -F auditfile.tbz 100% of 39 kB 2516 kBps portaudit: Database too old. Old database restored. portaudit: Download failed. any idea about this ?? -- Best regards, Khaled J. Hussein System Administrator Hadara Technologies Group [EMAIL PROTECTED] http://www.palnet.com Tel. +972 2-240-3434 Fax. +972 2-240-3430 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit problem
For some reason, portaudit is now showing 0 problems with my ports when yesterday it was showing about 9. Did something happen that is going to cause me a lot of headaches? -Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit thinks a vulnerability just disappeared
I have a 4.11-RELEASE system. Prior to doing some minor portupdates, I had this portaudit report: Checking for packages with security vulnerabilities: Affected package: php4-4.4.1_3 Type of problem: php -- open_basedir Race Condition Vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html Affected package: php4-4.4.1_3 Type of problem: php -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html Affected package: ruby-1.8.4_3,1 Type of problem: ruby - multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html Affected package: apache+mod_ssl-1.3.34+2.8.25_2 Type of problem: apache -- mod_rewrite buffer overflow vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html Affected package: mutt-1.4.2.1_2 Type of problem: mutt -- Remote Buffer Overflow Vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/d2a43243-087b-11db-bc36-0008743bf21a.html 5 problem(s) in your installed packages found. I cvsup'ped my ports tree and portupgraded ruby, mutt and portaudit, but not any of their dependencies (since version number changes were minor). portaudit -aF now thinks: www : 17:59:17 /root# portaudit -aF auditfile.tbz 100% of 38 kB 138 kBps New database installed. Affected package: php4-4.4.1_3 Type of problem: php -- open_basedir Race Condition Vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html Affected package: php4-4.4.1_3 Type of problem: php -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html 2 problem(s) in your installed packages found. Why does portaudit think the apache+mod_ssl problem went away? The installed version is still: apache+mod_ssl-1.3.34+2.8.25_2 The Apache 1.3 webserver with SSL/TLS functionality Thanks! Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
jan gestre [EMAIL PROTECTED] the box's running for almost 2 months now setup as webmail server, the only thing i removed was the linux compatible applications since i have no plans of installing linux. i ran pkgdb -F and pkgdb -fu to no avail, after doing cvsup this morning, ran portsdb -Uu, i still see those message looking for packages that wasn't even installed. i don't see any strange behavior for the server except those mentioned here. could these be detrimental? I have no idea. However, if the system appears to be stable then I assume you could just ignore it. I guess removing things from the base installation was not such a good idea though. -- +==+ |\ _,,,---,,_ | Gerard Seibert Zzz /,`.-'`'-. ;-;;,_ | [EMAIL PROTECTED] |,4- ) )-,_. ,\ ( `'-'| icq: 95653152 FAX: (845) 228-1602 '---''(_/--' `-'\_) | //This Space Available// +==+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
jan gestre [EMAIL PROTECTED] it took almost 3 hours, i don't have X installed. i'm sending you the portmanager.log in private coz it might clutter the thread. You have a warning message listed here: Tue Aug 1 04:38:03 2006 options changed so returningphp4-mbstring-4.4.2_2 /converters/php4-mbstringto out of date pool I have never seen the options changed so returning ... message before. I am going to check an see if I can find out what it means. In the mean time, have your tried running pkgdb -F and just deleting the bad references? By the way, is this a fresh install, or has it been up for awhile? Did you ever delete any packages from the system? -- +==+ |\ _,,,---,,_ | Gerard Seibert Zzz /,`.-'`'-. ;-;;,_ |[EMAIL PROTECTED] |,4- ) )-,_. ,\ ( `'-'| icq: 95653152 FAX: (845) 228-1602 '---''(_/--' `-'\_) | //This Space Available// +==+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
Gerard wrote: jan gestre [EMAIL PROTECTED] it took almost 3 hours, i don't have X installed. i'm sending you the portmanager.log in private coz it might clutter the thread. You have a warning message listed here: Tue Aug 1 04:38:03 2006 options changed so returningphp4-mbstring-4.4.2_2 /converters/php4-mbstringto out of date pool I have never seen the options changed so returning ... message before. I am going to check an see if I can find out what it means. It seems to be when a port presents the blue Options screen. If you change anything (maybe even when you don't, not sure) portmanager gives that message. Unless there are other problems it seems to get back round to updating the port later in the run. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
Chris Whitehouse wrote: It seems to be when a port presents the blue Options screen. If you change anything (maybe even when you don't, not sure) portmanager gives that message. Unless there are other problems it seems to get back round to updating the port later in the run. Interesting! I had not seen that message before. -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
On 8/1/06, Gerard [EMAIL PROTECTED] wrote: jan gestre [EMAIL PROTECTED] it took almost 3 hours, i don't have X installed. i'm sending you the portmanager.log in private coz it might clutter the thread. You have a warning message listed here: Tue Aug 1 04:38:03 2006 options changed so returningphp4-mbstring-4.4.2_2 /converters/php4-mbstringto out of date pool I have never seen the options changed so returning ... message before. I am going to check an see if I can find out what it means. In the mean time, have your tried running pkgdb -F and just deleting the bad references? By the way, is this a fresh install, or has it been up for awhile? Did you ever delete any packages from the system? the box's running for almost 2 months now setup as webmail server, the only thing i removed was the linux compatible applications since i have no plans of installing linux. i ran pkgdb -F and pkgdb -fu to no avail, after doing cvsup this morning, ran portsdb -Uu, i still see those message looking for packages that wasn't even installed. i don't see any strange behavior for the server except those mentioned here. could these be detrimental? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portsdb output and portaudit question
hi guys, i was trying to portupgrade ruby coz portaudit is complaining of vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at first i couldn't upgrade ruby coz portupgrade is complaining maybe coz portaudit but someone in the list suggested this: # portupgrade -Rr -m DISABLE_VULNERABILITIES=yes ruby whoala it installed the ruby package but still portaudit complains even though the installed version is current which has no vulnerability. is this normal? any way to fix these? and also prior to portupgrade, i run cvsup then portsdb -Uu and i have the following message/output when i ran portsdb -Uu: Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+-2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk- pixbuf-xlib-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 24: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--cflags returned non-zero status gnome-config: not found Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+- 2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk-pixbuf-xlib-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 25: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--libs returned non-zero status my box is running FreeBSD 6.1 as webmail server, i do have xorg libraries installed but i don't have those packages installed, are they part of the xorg libraries? how can i get rid or fix them? TIA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
jan gestre wrote: i was trying to portupgrade ruby coz portaudit is complaining of vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at first i couldn't upgrade ruby coz portupgrade is complaining maybe coz portaudit but someone in the list suggested this: # portupgrade -Rr -m DISABLE_VULNERABILITIES=yes ruby whoala it installed the ruby package but still portaudit complains even though the installed version is current which has no vulnerability. is this normal? any way to fix these? This is expected behavior. The ports system will let you upgrade a vulnerable port without complaint. It will however complain if you try to install (or upgrade to) a version that has vulnerabilities. Since portupgrade complained, it's no surprise that portaudit also complains after the forced upgrade. This means that either the version in ports aren't fixed yet (the existence of a vulnerability of a prior version does not imply that said vulnerability is fixed in the current version), or that your ports tree is out of date. Seeing that the latter is not true, I would say you just have to wait for an updated version to appear in ports. You can create an account at freshports and ad ruby to your watch list. That means you'll get notified when new versions arrive. Svein Halvor signature.asc Description: OpenPGP digital signature
Re: portsdb output and portaudit question
On 8/1/06, Svein Halvor Halvorsen [EMAIL PROTECTED] wrote: jan gestre wrote: i was trying to portupgrade ruby coz portaudit is complaining of vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at first i couldn't upgrade ruby coz portupgrade is complaining maybe coz portaudit but someone in the list suggested this: # portupgrade -Rr -m DISABLE_VULNERABILITIES=yes ruby whoala it installed the ruby package but still portaudit complains even though the installed version is current which has no vulnerability. is this normal? any way to fix these? This is expected behavior. The ports system will let you upgrade a vulnerable port without complaint. It will however complain if you try to install (or upgrade to) a version that has vulnerabilities. Since portupgrade complained, it's no surprise that portaudit also complains after the forced upgrade. This means that either the version in ports aren't fixed yet (the existence of a vulnerability of a prior version does not imply that said vulnerability is fixed in the current version), or that your ports tree is out of date. Seeing that the latter is not true, I would say you just have to wait for an updated version to appear in ports. You can create an account at freshports and ad ruby to your watch list. That means you'll get notified when new versions arrive. i portupgrade the previous version ruby-1.8.4_8,1 to the current version which is ruby-1.8.4_9,1 and i also saw from the portaudit complaint that the new version is not anymore affected by the vulnerabilities of the old version meaning the maintainer already fixed this, however portaudit is still complaining. and how about the portsdb output? why is it complaining of stuff i don't have installed? TIA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
On 8/1/06, jan gestre [EMAIL PROTECTED] wrote: On 8/1/06, Svein Halvor Halvorsen [EMAIL PROTECTED] wrote: jan gestre wrote: i was trying to portupgrade ruby coz portaudit is complaining of vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at first i couldn't upgrade ruby coz portupgrade is complaining maybe coz portaudit but someone in the list suggested this: # portupgrade -Rr -m DISABLE_VULNERABILITIES=yes ruby whoala it installed the ruby package but still portaudit complains even though the installed version is current which has no vulnerability. is this normal? any way to fix these? This is expected behavior. The ports system will let you upgrade a vulnerable port without complaint. It will however complain if you try to install (or upgrade to) a version that has vulnerabilities. Since portupgrade complained, it's no surprise that portaudit also complains after the forced upgrade. This means that either the version in ports aren't fixed yet (the existence of a vulnerability of a prior version does not imply that said vulnerability is fixed in the current version), or that your ports tree is out of date. Seeing that the latter is not true, I would say you just have to wait for an updated version to appear in ports. You can create an account at freshports and ad ruby to your watch list. That means you'll get notified when new versions arrive. i portupgrade the previous version ruby-1.8.4_8,1 to the current version which is ruby-1.8.4_9,1 and i also saw from the portaudit complaint that the new version is not anymore affected by the vulnerabilities of the old version meaning the maintainer already fixed this, however portaudit is still complaining. and how about the portsdb output? why is it complaining of stuff i don't have installed? i update the portaudit database and now it's no longer reporting the vulnerability :) which brings me back to my second question regarding the portsdb -Uu output, why is it complaining about those packages which i don't have installed? many thanks in advance ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
On Tue, 1 Aug 2006, jan gestre wrote: hi guys, i was trying to portupgrade ruby coz portaudit is complaining of vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at first i couldn't upgrade ruby coz portupgrade is complaining maybe coz portaudit but someone in the list suggested this: # portupgrade -Rr -m DISABLE_VULNERABILITIES=yes ruby whoala it installed the ruby package but still portaudit complains even though the installed version is current which has no vulnerability. is this normal? any way to fix these? and also prior to portupgrade, i run cvsup then portsdb -Uu and i have the following message/output when i ran portsdb -Uu: Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+-2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk- pixbuf-xlib-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 24: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--cflags returned non-zero status gnome-config: not found Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+- 2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk-pixbuf-xlib-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 25: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--libs returned non-zero status my box is running FreeBSD 6.1 as webmail server, i do have xorg libraries installed but i don't have those packages installed, are they part of the xorg libraries? how can i get rid or fix them? TIA Have you tried running pkgdb prior to attempting the update? See the man manual for details. You also might try installing 'portmanager' and running like this: portmanager -u -f -l -y It will rebuild the ports system and bring in all of the missing dependencies. Just a thought! -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
On 8/1/06, Gerard Seibert [EMAIL PROTECTED] wrote: On Tue, 1 Aug 2006, jan gestre wrote: hi guys, i was trying to portupgrade ruby coz portaudit is complaining of vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at first i couldn't upgrade ruby coz portupgrade is complaining maybe coz portaudit but someone in the list suggested this: # portupgrade -Rr -m DISABLE_VULNERABILITIES=yes ruby whoala it installed the ruby package but still portaudit complains even though the installed version is current which has no vulnerability. is this normal? any way to fix these? and also prior to portupgrade, i run cvsup then portsdb -Uu and i have the following message/output when i ran portsdb -Uu: Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+-2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk- pixbuf-xlib-2.0.pc ' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 24: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--cflags returned non-zero status gnome-config: not found Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+- 2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk-pixbuf-xlib-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 25: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--libs returned non-zero status my box is running FreeBSD 6.1 as webmail server, i do have xorg libraries installed but i don't have those packages installed, are they part of the xorg libraries? how can i get rid or fix them? TIA Have you tried running pkgdb prior to attempting the update? See the man manual for details. yes i did run pkgdb -fu then proceeded with updating but with the same result. You also might try installing 'portmanager' and running like this: portmanager -u -f -l -y i'll give this one a try and will post back the results. It will rebuild the ports system and bring in all of the missing dependencies. Just a thought! -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
On 8/1/06, jan gestre [EMAIL PROTECTED] wrote: On 8/1/06, Gerard Seibert [EMAIL PROTECTED] wrote: On Tue, 1 Aug 2006, jan gestre wrote: hi guys, i was trying to portupgrade ruby coz portaudit is complaining of vulnerabilities, i did run cvsup and portsdb -Uu before portupgrade, at first i couldn't upgrade ruby coz portupgrade is complaining maybe coz portaudit but someone in the list suggested this: # portupgrade -Rr -m DISABLE_VULNERABILITIES=yes ruby whoala it installed the ruby package but still portaudit complains even though the installed version is current which has no vulnerability. is this normal? any way to fix these? and also prior to portupgrade, i run cvsup then portsdb -Uu and i have the following message/output when i ran portsdb -Uu: Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+-2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk- pixbuf-xlib-2.0.pc ' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 24: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--cflags returned non-zero status gnome-config: not found Package gtk+-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gtk+-2.0.pc' to the PKG_CONFIG_PATH environment variable No package 'gtk+- 2.0' found gnome-config: not found Package gdk-pixbuf-xlib-2.0 was not found in the pkg-config search path. Perhaps you should add the directory containing `gdk- pixbuf-xlib-2.0.pc ' to the PKG_CONFIG_PATH environment variable No package 'gdk-pixbuf-xlib-2.0' found Makefile, line 25: warning: pkg-config gtk+-2.0 gdk-pixbuf-xlib-2.0--libs returned non-zero status my box is running FreeBSD 6.1 as webmail server, i do have xorg libraries installed but i don't have those packages installed, are they part of the xorg libraries? how can i get rid or fix them? TIA Have you tried running pkgdb prior to attempting the update? See the man manual for details. yes i did run pkgdb -fu then proceeded with updating but with the same result. You also might try installing 'portmanager' and running like this: portmanager -u -f -l -y i'll give this one a try and will post back the results. It will rebuild the ports system and bring in all of the missing dependencies. Just a thought! after almost an eternity i finally was able to upgrade all packages via portmanager, run cvsup then portsdb and with the same end result, i still get those missing..not install... packages :( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portsdb output and portaudit question
jan gestre [EMAIL PROTECTED] after almost an eternity i finally was able to upgrade all packages via portmanager, run cvsup then portsdb and with the same end result, i still get those missing..not install... packages :( It seems to me that you rebuilt your system with portmanager in just a few hours. It would take me a few days to rebuild everything. However, I do have Open Office and the full KDE suite installed. What is the output of the portmanager log. It is in /var/log/portmanager.log. Please post it or send it to me. I want to see what it reports. Ciao! -- +==+ |\ _,,,---,,_ | Gerard Seibert Zzz /,`.-'`'-. ;-;;,_ | [EMAIL PROTECTED] |,4- ) )-,_. ,\ ( `'-'| icq: 95653152 FAX: (845) 228-1602 '---''(_/--' `-'\_) | //This Space Available// +==+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit report vs. portupgrade report
Hi All, I'm new to FreeBSD. The daily security report lists 9 problems with installed packages. In an earlier message I was advised to use the ports system to avoid dealing with package dependencies. Thanks to all for that advice. So I have done the cvsup, buildworld, buildkernel, ..., process and completed without errors. (Thanks to all who have posted helpful messages on this subject.) Running portaudit -Fa advised me that the same 9 packages were still a problem. Running portupgrade -n firefox advised me: ** No need to upgrade 'firefox-1.0.7_1,1' (= firefox-1.0.7_1,1). Same thing with mozilla: ** No need to upgrade 'mozilla-1.7.12,2' (= mozilla-1.7.12,2). I did not check the other 7 packages in question. On the surface, to me, it seems as if these two tools are giving me opposite information. So, ... what is going on here? What should I do to get right. Please see below for the actual console traffic, slightly snipped. # --- actual console traffic --- tiny# uname -a FreeBSD tiny.brc.localnet 6.0-RELEASE-p7 FreeBSD 6.0-RELEASE-p7 #0: Wed May 17 16:26:53 PDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 tiny# portaudit -Fa auditfile.tbz 100% of 35 kB 154 kBps New database installed. Affected package: firefox-1.0.7_1,1 Type of problem: mozilla -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/84630f4a-cd8c-11da-b7b9-0 00c6ec775d9.html Affected package: mozilla-1.7.12,2 Type of problem: mozilla -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/84630f4a-cd8c-11da-b7b9-0 00c6ec775d9.html [ 7 other packages snipped ] 9 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. tiny# portupgrade -n firefox --- Session started at: Wed, 17 May 2006 18:55:20 -0700 [Rebuilding the pkgdb format:bdb1_btree in /var/db/pkg ... - 241 packages found (-0 +241) . done] [Updating the portsdb format:bdb1_btree in /usr/ports ... - 13306 port entries found .1000.2000.3000.4000.5000.6000.7000.8000.9000.1.11000.12000.13000... . done] ** No need to upgrade 'firefox-1.0.7_1,1' (= firefox-1.0.7_1,1). (specify -f to force) --- Listing the results (+:done / -:ignored / *:skipped / !:failed) - www/firefox (firefox-1.0.7_1,1) --- Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed --- Session ended at: Wed, 17 May 2006 18:57:17 -0700 (consumed 00:01:57) tiny# portupgrade -n mozilla --- Session started at: Wed, 17 May 2006 18:58:49 -0700 ** No need to upgrade 'mozilla-1.7.12,2' (= mozilla-1.7.12,2). (specify -f to force) --- Listing the results (+:done / -:ignored / *:skipped / !:failed) - www/mozilla (mozilla-1.7.12,2) --- Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed --- Session ended at: Wed, 17 May 2006 18:58:53 -0700 (consumed 00:00:03) # - end of console traffic - __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit report vs. portupgrade report
Jim Angstadt wrote: Hi All, I'm new to FreeBSD. The daily security report lists 9 problems with installed packages. In an earlier message I was advised to use the ports system to avoid dealing with package dependencies. Thanks to all for that advice. So I have done the cvsup, buildworld, buildkernel, .., process and completed without errors. (Thanks to all who have posted helpful messages on this subject.) Running portaudit -Fa advised me that the same 9 packages were still a problem. Running portupgrade -n firefox advised me: ** No need to upgrade 'firefox-1.0.7_1,1' (= firefox-1.0.7_1,1). Same thing with mozilla: ** No need to upgrade 'mozilla-1.7.12,2' (= mozilla-1.7.12,2). I did not check the other 7 packages in question. On the surface, to me, it seems as if these two tools are giving me opposite information. So, ... what is going on here? What should I do to get right. Please see below for the actual console traffic, slightly snipped. # --- actual console traffic --- tiny# uname -a FreeBSD tiny.brc.localnet 6.0-RELEASE-p7 FreeBSD 6.0-RELEASE-p7 #0: Wed May 17 16:26:53 PDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 tiny# portaudit -Fa auditfile.tbz 100% of 35 kB 154 kBps New database installed. Affected package: firefox-1.0.7_1,1 Type of problem: mozilla -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/84630f4a-cd8c-11da-b7b9-0 00c6ec775d9.html Affected package: mozilla-1.7.12,2 Type of problem: mozilla -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/84630f4a-cd8c-11da-b7b9-0 00c6ec775d9.html [ 7 other packages snipped ] 9 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. tiny# portupgrade -n firefox --- Session started at: Wed, 17 May 2006 18:55:20 -0700 [Rebuilding the pkgdb format:bdb1_btree in /var/db/pkg ... - 241 packages found (-0 +241) done] [Updating the portsdb format:bdb1_btree in /usr/ports ... - 13306 port entries found 1000.2000.3000.4000.5000.6000.7000.8000.9000.1.11000.12000.13000... done] ** No need to upgrade 'firefox-1.0.7_1,1' (= firefox-1.0.7_1,1). (specify -f to force) --- Listing the results (+:done / -:ignored / *:skipped / !:failed) - www/firefox (firefox-1.0.7_1,1) --- Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed --- Session ended at: Wed, 17 May 2006 18:57:17 -0700 (consumed 00:01:57) tiny# portupgrade -n mozilla --- Session started at: Wed, 17 May 2006 18:58:49 -0700 ** No need to upgrade 'mozilla-1.7.12,2' (= mozilla-1.7.12,2). (specify -f to force) --- Listing the results (+:done / -:ignored / *:skipped / !:failed) - www/mozilla (mozilla-1.7.12,2) --- Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed --- Session ended at: Wed, 17 May 2006 18:58:53 -0700 (consumed 00:00:03) # - end of console traffic - Portaudit is reporting problems with certain ports. You need to update your ports tree, might I suggest portsnap, before you can correct the problem. Even then, a new version of the port that corrects the problem may not be available. If it is not, keep trying every day or so and it will usually be make available to you. Obviously you need to update your ports tree on a regular schedule. You might want to investigate using CRON to automate this procedure for you. Also, you might want to give portmanager a look. Personally, I prefer it to portupgrade. Strictly a personal choice though. I just think it handles dependencies in a far superior manner. -- Gerard Seibert [EMAIL PROTECTED] Ruth rode upon my motor bike directly in back of me. I hit a bump at 95 and rode on Ruthlessly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Local portaudit server.
David Robillard wrote:
Hello,
We use the port security/portaudit on all of our FreeBSD servers.
Currently, every machine has to out on the internet to download the
portaudit vulnerability database from the FreeBSD server.
Since all of the machines are downloading the exact same file, we
would like to setup a local portaudit server. This server would fetch
the vulnerabilty file and all the rest of our servers would fetch it
from the local portaudit server.
Has anyone done this setup? Any help/pointers would be great.
Hi
I haven't done it but I don't think it should be a problem:
If you look at the portaudit script
/usr/local/sbin/portaudit
you'll find that the auditfile is located here:
http://www.freebsd.org/ports/auditfile.tbz
You can get it manually, try.
So by changing some variables in
portaudit_confs()
{
: ${portaudit_dir=/var/db/portaudit}
: ${portaudit_filename=auditfile.tbz}
: ${portaudit_fetch_env=}
: ${portaudit_fetch_cmd=fetch -1mp}
: ${portaudit_sites=http://www.FreeBSD.org/ports/}
: ${portaudit_fixed=}
if [ -r /usr/local/etc/portaudit.conf ]; then
. /usr/local/etc/portaudit.conf
fi
}
on each machine you should be able to guide them to your local machine.
hth
lars.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Local portaudit server.
David Robillard wrote: We use the port security/portaudit on all of our FreeBSD servers. Currently, every machine has to out on the internet to download the portaudit vulnerability database from the FreeBSD server. If your internal machines need to talk to the web, and you wish to control or restrict that behavior, the canonical solution is to setup a proxy server and firewall which blocks Internet access for everything except the proxy. Since all of the machines are downloading the exact same file, we would like to setup a local portaudit server. This server would fetch the vulnerabilty file and all the rest of our servers would fetch it from the local portaudit server. Has anyone done this setup? Any help/pointers would be great. You could also use rsync to copy /var/db/portaudit from the external server to your internal machines on a daily basis via a cron job. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Local portaudit server.
Hello, We use the port security/portaudit on all of our FreeBSD servers. Currently, every machine has to out on the internet to download the portaudit vulnerability database from the FreeBSD server. Since all of the machines are downloading the exact same file, we would like to setup a local portaudit server. This server would fetch the vulnerabilty file and all the rest of our servers would fetch it from the local portaudit server. Has anyone done this setup? Any help/pointers would be great. Thanks, David -- David Robillard UNIX systems administrator, CISSP Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What happened with portaudit?
Simon L. Nielsen wrote: On 2005.11.06 21:48:52 +0100, Jimmy Scott wrote: On Sun, Nov 06, 2005 at 05:30:00PM +0100, Kövesdán Gábor wrote: Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? I noticed the same, but didn't had the time to look for a possible answer on that question. It does seem to work for me now. Could people having this problem please check the size of /var/db/portaudit/auditfile.tbz and try to run portaudit -Fa to refetch the database and check again? For reference: [EMAIL PROTECTED]:/tmp] ls -l /var/db/portaudit/auditfile.tbz -r--r--r-- 1 root wheel 31762 6 Nov 22:40 /var/db/portaudit/auditfile.tbz There have been one previous report where a problem with the portaudit database build resulted in an incomplete auditfile which was then fixed after the next portaudit database rebuild. it works now. and yes, i did portaudit -Fda several times during that day to no avail. m. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
What happened with portaudit?
Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? Cheers, Gabor Kovesdan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What happened with portaudit?
Kövesdán Gábor sat at his 'puter and typed on 11/6/2005 22:00: Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? Cheers, Gabor Kovesdan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] The first thing I would do is check the tripwire checksums. Thanks S. -- ---+-- | Subhro Sankha Kar \ / | GSM: +919831064613 -- Fax: +919831832913 \./ | MSN:[EMAIL PROTECTED] -- Yahoo: subhro82 (0Y0) | ICQ: 203567534 -- AIM: bsdboy1982 ooO--(_)--Ooo--+-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What happened with portaudit?
Kövesdán Gábor wrote: Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? Cheers, Gabor Kovesdan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] well, i can confirm i've had some issues with ports lately, too. after realising new gnome was out i did portsnap and portaudit as usual. i was very surprised to find out that portversion didn't show new ports as well as portaudit didn't report on 2 vulnerabilities it reported a day or two before. i tried to update ports db manually only to find some errors. pkg_version correctly identified new ports. this state changed in about half a day when suddenly portsnap portversion reported all new packages. otoh, portaudit still doesn't report on vulnerabilities it reported a few days ago. strange.. martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What happened with portaudit?
On Sun, Nov 06, 2005 at 05:30:00PM +0100, Kövesdán Gábor wrote: Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? Cheers, Gabor Kovesdan ___ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to [EMAIL PROTECTED] I noticed the same, but didn't had the time to look for a possible answer on that question. -- The Four Horsemen of the Apocalypse: Death, Famine, War, and SNMP pgpoohASlF34v.pgp Description: PGP signature
Re: What happened with portaudit?
On 2005.11.06 21:48:52 +0100, Jimmy Scott wrote: On Sun, Nov 06, 2005 at 05:30:00PM +0100, Kövesdán Gábor wrote: Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? I noticed the same, but didn't had the time to look for a possible answer on that question. It does seem to work for me now. Could people having this problem please check the size of /var/db/portaudit/auditfile.tbz and try to run portaudit -Fa to refetch the database and check again? For reference: [EMAIL PROTECTED]:/tmp] ls -l /var/db/portaudit/auditfile.tbz -r--r--r-- 1 root wheel 31762 6 Nov 22:40 /var/db/portaudit/auditfile.tbz There have been one previous report where a problem with the portaudit database build resulted in an incomplete auditfile which was then fixed after the next portaudit database rebuild. -- Simon L. Nielsen FreeBSD Security Team pgpptHpR3gNTK.pgp Description: PGP signature
Re: What happened with portaudit?
On Sunday, 2005-11-06 at 23:09:42 +0100, Simon L. Nielsen wrote: It does seem to work for me now. Could people having this problem please check the size of /var/db/portaudit/auditfile.tbz and try to run portaudit -Fa to refetch the database and check again? For reference: [EMAIL PROTECTED]:/tmp] ls -l /var/db/portaudit/auditfile.tbz -r--r--r-- 1 root wheel 31762 6 Nov 22:40 /var/db/portaudit/auditfile.tbz Same problem here, on all machines: ls -l /var/db/portaudit/auditfile.tbz -r--r--r-- 1 root wheel 5689 Nov 6 03:10 /var/db/portaudit/auditfile.tbz portaudit -Fa auditfile.tbz 100% of 31 kB 32 kBps New database installed. 0 problem(s) in your installed packages found. ls -l /var/db/portaudit/auditfile.tbz -r--r--r-- 1 root wheel 31764 Nov 7 07:40 /var/db/portaudit/auditfile.tbz Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in Armageddon, 1998, about the Space Shuttle | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What happened with portaudit?
Quoting Simon L. Nielsen [EMAIL PROTECTED]: On 2005.11.06 21:48:52 +0100, Jimmy Scott wrote: On Sun, Nov 06, 2005 at 05:30:00PM +0100, Kövesdán Gábor wrote: Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? I noticed the same, but didn't had the time to look for a possible answer on that question. It does seem to work for me now. Could people having this problem please check the size of /var/db/portaudit/auditfile.tbz and try to run portaudit -Fa to refetch the database and check again? For reference: [EMAIL PROTECTED]:/tmp] ls -l /var/db/portaudit/auditfile.tbz -r--r--r-- 1 root wheel 31762 6 Nov 22:40 /var/db/portaudit/auditfile.tbz There have been one previous report where a problem with the portaudit database build resulted in an incomplete auditfile which was then fixed after the next portaudit database rebuild. -- Simon L. Nielsen FreeBSD Security Team Everything seems fine today, I can't check the size of the file from then since it's being run every night by periodic/security. If you are really interrested in the file I could restore it from a backup somehow, but it will be a lot of work. I should have checked it from the moment I noticed in the emails. Kind regards, Jimmy Scott This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit reports: how to exclude a specific vulnerability
Michael C. Shultz [EMAIL PROTECTED] writes:
On Sunday 30 October 2005 22:45, you wrote:
G'day.
[...]
I can't work out how to tell portaudit to stop bothering me about
[a single] particular vulnerability, though.
Can I ask it to exclude a vulnerability, or (ever better) a
vulnerability/package combination, from reports?
I think this will do it, put it in /etc/make.conf
.if ${.CURDIR:M*/security/p5-Crypt-OpenPGP}
DISABLE_VULNERABILITIES=YES
.endif
Hrm. That doesn't exclude it from the command line tool, and a quick
check of the periodic/security file tells me that it won't work in the
periodic runs either.
Unfortunately, portaudit only seems to support the 'portaudit_fixed'
system for marking a problem in the core OS fixed, not for individual
versions.
More searching also shows a comment from the author(s) to the effect
that this would be easy to extend to non-core packages, but that has not
been done yet.
Ah, well. Either a local patch, or I just cope with the problem, I
guess.
Daniel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit reports: how to exclude a specific vulnerability
G'day. I am relatively new to FreeBSD, but failed to find an answer to this question in the handbook, manual pages, or other references about portaudit: At the moment, portaudit is reporting one vulnerability on my system, with the 'p5-Crypt-OpenPGP' package. There isn't, apparently, a release of this package available that resolves the issue. I have checked the advisory and I am quite happy that the specific problem is not going to hurt here, so I don't mind that the theoretically vulnerable version is installed.[1] I can't work out how to tell portaudit to stop bothering me about this particular vulnerability, though. Can I ask it to exclude a vulnerability, or (ever better) a vulnerability/package combination, from reports? I specifically /don't/ want to exclude the package from auditing, though, since I want to know if another security issue turns up for it. Thanks, Daniel Footnotes: [1] The specific issue is a cryptographic weakness that needs a specific and particularly unlikely bit of code written by us before it actually does anything. Not, as they say, going to happen. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit reports: how to exclude a specific vulnerability
On Sunday 30 October 2005 22:45, you wrote:
G'day. I am relatively new to FreeBSD, but failed to find an answer to
this question in the handbook, manual pages, or other references about
portaudit:
At the moment, portaudit is reporting one vulnerability on my system,
with the 'p5-Crypt-OpenPGP' package.
There isn't, apparently, a release of this package available that
resolves the issue.
I have checked the advisory and I am quite happy that the specific
problem is not going to hurt here, so I don't mind that the
theoretically vulnerable version is installed.[1]
I can't work out how to tell portaudit to stop bothering me about this
particular vulnerability, though.
Can I ask it to exclude a vulnerability, or (ever better) a
vulnerability/package combination, from reports?
I think this will do it, put it in /etc/make.conf
.if ${.CURDIR:M*/security/p5-Crypt-OpenPGP}
DISABLE_VULNERABILITIES=YES
.endif
-Mike
I specifically /don't/ want to exclude the package from auditing,
though, since I want to know if another security issue turns up for it.
Thanks,
Daniel
Footnotes:
[1] The specific issue is a cryptographic weakness that needs a
specific and particularly unlikely bit of code written by us before
it actually does anything. Not, as they say, going to happen.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit question.....
Wright Jim Contractor 14MDSS/SGSI wrote: I guess my question is this. How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest version?? Or am I missing the concept altogether ? ( I understand the process of downloading this latest version and installing it manually. Just trying to understand and use the FreeBSD tools ) IMHO, the messages from portaudit are misleadingly worded. Portaudit is correct that some of the software you installed has *some kind* of security vulnerability. But everything else it says is potentially misleading. 1) There may be no upgrade available yet. For there to be an upgrade the original code has to be fixed; in your example by the Mozilla team. Then, whoever is maintaining the port has to go through the work of fixing the new code to work on FreeBSD. For a few simple bug fixes, that may not be too hard, but it still has to be done. How long all this takes will vary from port to port. Mozilla is generally quite quick, from my experience, but xloadimage hung around for ages, not long ago. 2) The advice that you should either upgrade or de-install in unnecessarily authoritarian and frightening. De-installing may not be an option, and the actual bug may have zero affect on your environment. And the presence of a bug does not indicate the presence of an exploit. If you are worried about a particular package then follow up the links portaudit provides and make up your mind what to do. However, that fact that you have so many packages reporting problems says that either you are doing something wrong or not checking often enough. 1) cvsup your ports tree 2) either make fetchindex in /usr/ports and run portsdb -u, or run portsdb -Uu (slower but more accurate) 3) run pkg_version -L= to see what needs upgrading 4) use portupgrade to upgrade on a schedule that suits. That might be daily or monthly depending on you environment. Remember to read /usr/port/UPDATING *before* doing any upgrades. All of that except the upgrading can be automated safely to run at 3am, or any other quiet time you might have. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit question.....
To keep the story short: I'm using version FreeBSD 5.4-RELEASE #6: Thu Aug 25 09:12:43 CDT 2005; pasted from the dmesg.boot file. To the best of my knowledge, I'm using CVSup, pkgdb -F, and portupgrade commands correctly. But, I'm pretty sure I'm still overlooking and/or leaving something out. I just discovered the portaudit command and ran it against my system. It comes up with 15 items that need to be upgraded or deinstalled. For this question I'll use Mozilla. The version it reports is Mozilla-1.7.7,2. When I go to http://www.freebsd.org/ports/index.html http://www.freebsd.org/ports/index.html and do a search for Mozilla, I find that Mozilla-1.7.12,2 is the latest (stable) version. I guess my question is this. How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest version?? Or am I missing the concept altogether ? ( I understand the process of downloading this latest version and installing it manually. Just trying to understand and use the FreeBSD tools ) Thanks for any and all help, Jim Wright Columbus, Mississippi 28 Sep 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit question.....
On Wed, 28 Sep 2005 15:07:40 -0500, Wright Jim Contractor 14MDSS/SGSI [EMAIL PROTECTED] Subject: portaudit question. Wrote these words of wisdom: To keep the story short: I'm using version FreeBSD 5.4-RELEASE #6: Thu Aug 25 09:12:43 CDT 2005; pasted from the dmesg.boot file. To the best of my knowledge, I'm using CVSup, pkgdb -F, and portupgrade commands correctly. But, I'm pretty sure I'm still overlooking and/or leaving something out. I just discovered the portaudit command and ran it against my system. It comes up with 15 items that need to be upgraded or deinstalled. For this question I'll use Mozilla. The version it reports is Mozilla-1.7.7,2. When I go to http://www.freebsd.org/ports/index.html http://www.freebsd.org/ports/index.html and do a search for Mozilla, I find that Mozilla-1.7.12,2 is the latest (stable) version. I guess my question is this. How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest version?? Or am I missing the concept altogether ? ( I understand the process of downloading this latest version and installing it manually. Just trying to understand and use the FreeBSD tools ) Thanks for any and all help, Jim Wright Columbus, Mississippi 28 Sep 2005 * REPLY SEPARATOR * On 9/29/2005 4:29:46 PM, Gerard Seibert Replied: Personally, I would first make sure you have a freshly updated ports collection. Next, install 'portmanager' from the ports collection. Then run it. portmanager -u This will take care of updating all of your out of date ports and their dependencies. -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit question.....
- Original Message - From: Wright Jim Contractor 14MDSS/SGSI [EMAIL PROTECTED] To: freebsd-questions@FreeBSD.org Sent: Wednesday, September 28, 2005 1:07 PM Subject: portaudit question. To keep the story short: I'm using version FreeBSD 5.4-RELEASE #6: Thu Aug 25 09:12:43 CDT 2005; pasted from the dmesg.boot file. To the best of my knowledge, I'm using CVSup, pkgdb -F, and portupgrade commands correctly. But, I'm pretty sure I'm still overlooking and/or leaving something out. I just discovered the portaudit command and ran it against my system. It comes up with 15 items that need to be upgraded or deinstalled. For this question I'll use Mozilla. The version it reports is Mozilla-1.7.7,2. I'll take a stab at this one. Portaudit is a tool that takes your installed ports then goes out and finds any known vulnerabilities (man portaudit says -- portaudit -- system to check installed packages for known vulnerabilities.) In your example Mozilla. There are times that a vulnerable port does not have an update to it (pkg_version | grep ) so all the updating you do may or may not make a difference. Keep your ports tree up to date and check with pkg_version | grep to see if there are changes. One other thing to note, they give you a URL to the issue they are talking about so you could potentially find more information that may guide you to getting an update or what's involved in the issue. Hope that helps. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit question.....
Wright Jim Contractor 14MDSS/SGSI wrote: To keep the story short: I'm using version FreeBSD 5.4-RELEASE #6: Thu Aug 25 09:12:43 CDT 2005; pasted from the dmesg.boot file. To the best of my knowledge, I'm using CVSup, pkgdb -F, and portupgrade commands correctly. But, I'm pretty sure I'm still overlooking and/or leaving something out. I just discovered the portaudit command and ran it against my system. It comes up with 15 items that need to be upgraded or deinstalled. For this question I'll use Mozilla. The version it reports is Mozilla-1.7.7,2. When I go to http://www.freebsd.org/ports/index.html http://www.freebsd.org/ports/index.html and do a search for Mozilla, I find that Mozilla-1.7.12,2 is the latest (stable) version. I guess my question is this. How do I use the FreeBSD tools, Ports/Packages, etc, to install this latest version?? Or am I missing the concept altogether ? ( I understand the process of downloading this latest version and installing it manually. Just trying to understand and use the FreeBSD tools ) Thanks for any and all help, Jim Wright Columbus, Mississippi 28 Sep 2005 jim, i recommend using portsnap instead of cvsup, especially if you update your ports tree often. then use portversion instead of pkg_version, it's much faster. and always and periodically run portaudit. you don't need your ports tree to be updated for portaudit to be effective, btw. so based on what i said, here's a procedure to follow: /usr/local/sbin/portsnap fetch /usr/local/sbin/portsnap update /usr/local/sbin/portversion -v -l /usr/local/sbin/portaudit -Fda hope that helps. regards, martin ps: regarding mozilla, if it's not packaged on freebsd's ftp server (that is pkg_add doesn't help), you've got to install it from ports (that is to compile it). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
question about Portaudit and code freezes
Hello, How come xpdf is still showing up as a vulnerability, even though the latest portrevision was supposed to resolve these problems? Has the portaudit database not been updated because of the code freeze? --- Joe Auty NetMusician: helping musicians exploit new communication mediums http://www.netmusician.org [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: question about Portaudit and code freezes
On Thu, Aug 25, 2005 at 03:23:11AM -0500, Joe Auty wrote: Hello, How come xpdf is still showing up as a vulnerability, even though the latest portrevision was supposed to resolve these problems? Has the portaudit database not been updated because of the code freeze? Some other ports (like cups-base) incorporate part of the xpdf code. so they will still show up as vulnerable. But I think that the message shouldn't refer to xpdf. It's confusing. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpC1ST0wMtsc.pgp Description: PGP signature
Re: question about Portaudit and code freezes
Yes, everything is up-to-date... Still can't portinstall cups-base because of the problem with xpdf, and this problem still appears when I portaudit -f /usr/ports/INDEX-5 On Aug 25, 2005, at 4:40 AM, Herbert J. Skuhra wrote: On Thu, Aug 25, 2005 at 03:23:11AM -0500, Joe Auty wrote: Hello, How come xpdf is still showing up as a vulnerability, even though the latest portrevision was supposed to resolve these problems? Has the portaudit database not been updated because of the code freeze? Is your ports-tree and your portaudit database up-to-date? % portaudit -d -- Print the creation date of the database. Database created: Thu 25 Aug 2005 11:10:20 CEST % sudo portaudit -F-- Fetch the current database. % pkg_version -v |grep xpdf xpdf-3.00_7 = up-to-date with port % portaudit -a 0 problem(s) in your installed packages found. Mvh Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: question about Portaudit and code freezes
On Thu, Aug 25, 2005 at 12:29:10PM -0500, Joe Auty wrote: On Aug 25, 2005, at 11:12 AM, Roland Smith wrote: On Thu, Aug 25, 2005 at 03:23:11AM -0500, Joe Auty wrote: Hello, How come xpdf is still showing up as a vulnerability, even though the latest portrevision was supposed to resolve these problems? Has the portaudit database not been updated because of the code freeze? Some other ports (like cups-base) incorporate part of the xpdf code. so they will still show up as vulnerable. But I think that the message shouldn't refer to xpdf. It's confusing. Roland (please, do not top-post) Is Xpdf still listed in the portsaudit database as being vulnerable for you? No, it isn't. I think you misunderstand. AFAIK, cups includes a copy of (part of?) xpdf. Even if the original xpdf is fixed, cups-base won't be until a equivalent fix is applied, or the fixed code is imported into cups-base. If so, I guess there is nothing I can do except wait... I was just wondering if this has not been corrected because of the freeze? Could be, but I guess such a safety-related fix would not be held back. Maybe a fix hasn't been applied to cups yet. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgphxf7B3f5P0.pgp Description: PGP signature
Re: question about Portaudit and code freezes
Is Xpdf still listed in the portsaudit database as being vulnerable for you? portaudit -f /usr/ports/INDEX-5 If so, I guess there is nothing I can do except wait... I was just wondering if this has not been corrected because of the freeze? On Aug 25, 2005, at 11:12 AM, Roland Smith wrote: On Thu, Aug 25, 2005 at 03:23:11AM -0500, Joe Auty wrote: Hello, How come xpdf is still showing up as a vulnerability, even though the latest portrevision was supposed to resolve these problems? Has the portaudit database not been updated because of the code freeze? Some other ports (like cups-base) incorporate part of the xpdf code. so they will still show up as vulnerable. But I think that the message shouldn't refer to xpdf. It's confusing. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit is being stubborn
Good news about the wget-devel I wasnt aware it was been updated again, when this problem first occured both versions of wget were affected. It appears in nighly security logs so can get annoying after a while. Chris On 5/21/05, Thomas Hurst [EMAIL PROTECTED] wrote: * Tony Shadwick ([EMAIL PROTECTED]) wrote: I'd like to see it done, but I know just enough sh scripting to be dangerous. ;) If it were perl I'd be all over it. Any takers? :) Well, the relevent bit is actually written in awk :) The attached patch seems to do the trick. Note portaudit_fixed is a regular expression, so if you want to list multiple entries, seperate them with | -- Thomas 'Freaky' Hurst http://hur.st/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit is being stubborn
* Chris ([EMAIL PROTECTED]) wrote:
This annoys me as well, I expect portaudit to alert me when an update
is available to fix an exploit, but wget has no update so what is the
point of the warning, there also seems to be no way to shut it up.
portaudit_fixed is only for OS bugs (i.e. associated with
kern.osreldate). portaudit is just a shell script; if it bothers you
that much, submit a patch to make it work for port problems too, or
send-pr :)
Looks like a case of moving the if (fixedre $2 ~ fixedre) next line
outside the $1 ~ /^FreeBSD[=!]/ { section around line 140, or
something to that effect.
--
Thomas 'Freaky' Hurst
http://hur.st/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit: recommended packages can't be installed
8I've just started playing around with FreeBSD. One of my main priorities of an OS is ease of upgrading. If I run portaudit, I get a list of insecure packages (here is an excerpt from the output): Affected package: firefox-1.0.3,1 Type of problem: mozilla -- code execution via javascript: IconURL vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/eca6195a-c233-11d9-804c-02061b08fc24.html Affected package: kdelibs-3.4.0_1 Type of problem: kdelibs -- kimgio input validation errors. Reference: http://www.FreeBSD.org/ports/portaudit/06404241-b306-11d9-a788-0001020eed82.html 4 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. freebsd # If I try to replace kdelibs with a binary package, or install it through ports (after doing a cvsup), I still get verion 3.4.0_1. Are fixes not necessarily made available when security vulnerabilities are found? Also -- is there a similar utility to portaudit and freebsd-update, that can be used on the base operating system (not through ports)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit: recommended packages can't be installed
On Saturday 21 May 2005 06:29 am, Robert S wrote: 8I've just started playing around with FreeBSD. One of my main priorities of an OS is ease of upgrading. If I run portaudit, I get a list of insecure packages (here is an excerpt from the output): Affected package: firefox-1.0.3,1 Type of problem: mozilla -- code execution via javascript: IconURL vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/eca6195a-c233-11d9-804c-02061 b08fc24.html Affected package: kdelibs-3.4.0_1 Type of problem: kdelibs -- kimgio input validation errors. Reference: http://www.FreeBSD.org/ports/portaudit/06404241-b306-11d9-a788-00010 20eed82.html 4 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. freebsd # If I try to replace kdelibs with a binary package, or install it through ports (after doing a cvsup), I still get verion 3.4.0_1. You are doing something fundamentaly wrong. The latest /usr/ports/INDEX[-5] shows a kdelibs-3.4.0_4. How did you cvsup and did you update the INDEX files? Kent Are fixes not necessarily made available when security vulnerabilities are found? Also -- is there a similar utility to portaudit and freebsd-update, that can be used on the base operating system (not through ports)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit is being stubborn
I'd like to see it done, but I know just enough sh scripting to be
dangerous. ;)
If it were perl I'd be all over it. Any takers? :)
On Sat, 21 May 2005, Thomas Hurst wrote:
* Chris ([EMAIL PROTECTED]) wrote:
This annoys me as well, I expect portaudit to alert me when an update
is available to fix an exploit, but wget has no update so what is the
point of the warning, there also seems to be no way to shut it up.
portaudit_fixed is only for OS bugs (i.e. associated with
kern.osreldate). portaudit is just a shell script; if it bothers you
that much, submit a patch to make it work for port problems too, or
send-pr :)
Looks like a case of moving the if (fixedre $2 ~ fixedre) next line
outside the $1 ~ /^FreeBSD[=!]/ { section around line 140, or
something to that effect.
--
Thomas 'Freaky' Hurst
http://hur.st/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit: recommended packages can't be installed
On Sat, May 21, 2005 at 01:29:11PM +, Robert S wrote: 8I've just started playing around with FreeBSD. One of my main priorities of an OS is ease of upgrading. If I run portaudit, I get a list of insecure packages (here is an excerpt from the output): Affected package: firefox-1.0.3,1 Type of problem: mozilla -- code execution via javascript: IconURL vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/eca6195a-c233-11d9-804c-02061b08fc24.html Affected package: kdelibs-3.4.0_1 Type of problem: kdelibs -- kimgio input validation errors. Reference: http://www.FreeBSD.org/ports/portaudit/06404241-b306-11d9-a788-0001020eed82.html 4 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. freebsd # If I try to replace kdelibs with a binary package, or install it through ports (after doing a cvsup), I still get verion 3.4.0_1. Are fixes not necessarily made available when security vulnerabilities are found? Not instantly, of course..and in some cases they are not fixed for a long time. The third party software in the ports collection is maintained to different standards depending on the project. If you have questions, you should contact those third party developers. Also -- is there a similar utility to portaudit and freebsd-update, that can be used on the base operating system (not through ports)? freebsd update works on the base system. Kris pgprcKHQtnynm.pgp Description: PGP signature
Re: portaudit is being stubborn
* Tony Shadwick ([EMAIL PROTECTED]) wrote:
I'd like to see it done, but I know just enough sh scripting to be
dangerous. ;)
If it were perl I'd be all over it. Any takers? :)
Well, the relevent bit is actually written in awk :)
The attached patch seems to do the trick. Note portaudit_fixed is a
regular expression, so if you want to list multiple entries, seperate
them with |
--
Thomas 'Freaky' Hurst
http://hur.st/
--- portaudit.old Mon Sep 6 20:18:55 2004
+++ portaudit Sat May 21 20:18:21 2005
@@ -136,8 +136,8 @@
BEGIN { vul=0; fixedre='$fixedre' }
/^(#|\$)/ { next }
$2 !~ /'$opt_restrict'/ { next }
+ { if (fixedre $2 ~ fixedre) next }
$1 ~ /^FreeBSD[=!]/ {
- if (fixedre $2 ~ fixedre) next
if (!system('$pkg_version' -T
\FreeBSD-'$osversion'\ \ $1 \)) {
print_affected(FreeBSD-'$osversion', \
To disable this check add the uuid to
\`portaudit_fixed''' in /usr/local/etc/portaudit.conf)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit: recommended packages can't be installed
* Robert S [2005-05-21 13:29 -] Are fixes not necessarily made available when security vulnerabilities are found? No, fixes are not *necessarily* made available, although the most often are. As Kent pointed out, your specific problem should long be fixed. See the thread about portaudit and wget from just the other day, and you will realize that fixes are not necessarily being commited once a security flaw has been found. Also -- is there a similar utility to portaudit and freebsd-update, that can be used on the base operating system (not through ports)? Portaudit will report security issues with the base system as well, based on the kern.osreldate sysctl. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit is being stubborn
This annoys me as well, I expect portaudit to alert me when an update is available to fix an exploit, but wget has no update so what is the point of the warning, there also seems to be no way to shut it up. Chris On 5/17/05, Tony Shadwick [EMAIL PROTECTED] wrote: This is driving me nuts. I just downloaded the latest portaudit database and ran it on my system: mx02# portaudit -ad Database created: Tue May 17 13:40:02 CDT 2005 Affected package: wget-1.8.2_7 Type of problem: wget -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-a9e7-0001020eed82.html 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. Okayso, that vulnerability isn't of much concern to me, but just to be sure I'm current: mx02# portversion ftp/wget wget= So life is good there, so I got back and add this to my /usr/local/etc/portaudit.conf file: # Make portaudit ignore wget vulnerability (no shell users here anyway) portaudit_fixed=06f142ff-4df3-11d9-a9e7-0001020eed82 I then re-ran portauditit gives me the same output. :( I want to have this cron'ed where I only get ouput when something that actually concerns me comes up. Is the portaudit_fixed variable no longer supported? Tony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit is being stubborn
On Fri, 20 May 2005 13:43:29 +0100 Chris [EMAIL PROTECTED] wrote: This annoys me as well, I expect portaudit to alert me when an update is available to fix an exploit, but wget has no update so what is the point of the warning, there also seems to be no way to shut it up. Chris On 5/17/05, Tony Shadwick [EMAIL PROTECTED] wrote: This is driving me nuts. I just downloaded the latest portaudit database and ran it on my system: mx02# portaudit -ad Database created: Tue May 17 13:40:02 CDT 2005 Affected package: wget-1.8.2_7 Type of problem: wget -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-a9e7-0001020eed82.html 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. Okayso, that vulnerability isn't of much concern to me, but just to be sure I'm current: mx02# portversion ftp/wget wget= So life is good there, so I got back and add this to my /usr/local/etc/portaudit.conf file: # Make portaudit ignore wget vulnerability (no shell users here anyway) portaudit_fixed=06f142ff-4df3-11d9-a9e7-0001020eed82 I then re-ran portauditit gives me the same output. :( I want to have this cron'ed where I only get ouput when something that actually concerns me comes up. Is the portaudit_fixed variable no longer supported? Tony I think the ftp/wget-devel version has addressed the security concerns. I switched to ftp/wget-devel and portaudit doesn't show any problems. I've not noticed any differences in using that version. I had a few other ports which depended on ftp/wget so I used portupgrade to switch the dependencies to ftp/wget-devl: portupgrade -o ftp/wget-devel ftp/wget According to the portupgrade man page, all the dependencies on the old package will be succeeded to the new package cleanly without leaving inconsistencies. There may be occasions when an update to a port which depended on the old ftp/wget may cause pkgdb to complain about a stale dependency on ftp/wget and you will need to repoint the dependency to the ftp/wget-devel package. If at some point the ftp/wget gets fixed, then it could be switched back from ftp/wget-devel with portupgrade. Randy -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit is being stubborn
This is driving me nuts. I just downloaded the latest portaudit database and ran it on my system: mx02# portaudit -ad Database created: Tue May 17 13:40:02 CDT 2005 Affected package: wget-1.8.2_7 Type of problem: wget -- multiple vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/06f142ff-4df3-11d9-a9e7-0001020eed82.html 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. Okayso, that vulnerability isn't of much concern to me, but just to be sure I'm current: mx02# portversion ftp/wget wget= So life is good there, so I got back and add this to my /usr/local/etc/portaudit.conf file: # Make portaudit ignore wget vulnerability (no shell users here anyway) portaudit_fixed=06f142ff-4df3-11d9-a9e7-0001020eed82 I then re-ran portauditit gives me the same output. :( I want to have this cron'ed where I only get ouput when something that actually concerns me comes up. Is the portaudit_fixed variable no longer supported? Tony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit question
Is there something that I am not updating that portaudit would like to see done or is this just a generic warning. Either way, please provide examples of what I might due to have it stop complaining. I can find no examples googling the portaudit note below. # Here's what I did. Installed 4.10 from mini iso. pkg_add -r cvsup-without-gui cvsup -g -L 2 /root/standard-supfile #updated all source compiled and installed kernel and world per handbook cvsup -g -L 2 /root/ports-supfile #updated all ports cd /usr/ports/security/portaudit make install clean # Here's what I get. beta# /usr/local/sbin/portaudit -Fda auditfile.tbz 100% of 15 kB 33 kBps New database installed. Database created: Fri Dec 10 08:40:32 EST 2004 Affected package: FreeBSD-491000 Type of problem: multiple vulnerabilities in the cvs server code. Reference: http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa 7d.html Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf 0 problem(s) in your installed packages found. # Here's what I did next. man portaudit no help pkg_delete cvsup-without-gui-16.1h cd /usr/ports/net/cvsup-without-gui make install clean /usr/local/sbin/portaudit -Fda and get same output as above. Best, Thomas S. Crum smime.p7s Description: S/MIME cryptographic signature
RE: portaudit question
Thomas S. Crum wrote: Is there something that I am not updating that portaudit would like to see done or is this just a generic warning. Either way, please provide examples of what I might due to have it stop complaining. I can find no examples googling the portaudit note below. # Here's what I did. snip # Here's what I get. beta# /usr/local/sbin/portaudit -Fda auditfile.tbz 100% of 15 kB 33 kBps New database installed. Database created: Fri Dec 10 08:40:32 EST 2004 Affected package: FreeBSD-491000 ^^ Portaudit is complaining that FreeBSD-491000 itself has a vulnerability. Specifically within the cvs code as it tells you. Type of problem: multiple vulnerabilities in the cvs server code. Reference: http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b 0-000347a4fa 7d.html Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf 0 problem(s) in your installed packages found. As you can patch the system cvs without bumping the kernel version number, portupgrade tells you that you can disable the check for this uuid in portaudit.conf. This of course assumes you actually have patched the cvs code in the base system (see the multiple security advisories issued on the cvs vulnerabilities for details on how to patch them manually, or upgrade to a more recent version/patchlevel of the 4.x tree). Petersen ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit question
Thomas S. Crum - AAA Web Solution, Inc. wrote: Is there something that I am not updating that portaudit would like to see done or is this just a generic warning. Either way, please provide examples of what I might due to have it stop complaining. I can find no examples googling the portaudit note below. snip some very helpful stuff, thanks Thomas! # Here's what I did next. man portaudit no help pkg_delete cvsup-without-gui-16.1h cd /usr/ports/net/cvsup-without-gui make install clean /usr/local/sbin/portaudit -Fda and get same output as above. Best, Thomas S. Crum You've gotten some good answers. Please note that cvs(1), which is in the base system, is not the same thing as cvsup(1), which is a port/package. They pretty much *do* the same thing (well, a _similar_ thing), but they aren't the same, so de/reinstalling cvsup-without-gui wouldn't make any difference; it's not where the problem was anyway :-) Portaudit seems like it will be/is a great tool; I would also recommend subscribing to the security-advisories list --- it's not like it's high volume, heh!* , but you'd have seen this info (re: CVS multiple vulnerability Advisory) almost 3 months ago Kevin Kinsey *Just thinking, if M$ had such a list, would the backbone drown? :-s\ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit question
On Fri, 10 Dec 2004 09:19:15 -0500, Thomas S. Crum - AAA Web Solution, Inc. [EMAIL PROTECTED] wrote: Is there something that I am not updating that portaudit would like to see done or is this just a generic warning. Either way, please provide examples of what I might due to have it stop complaining. [snip] Type of problem: multiple vulnerabilities in the cvs server code. Reference: http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa 7d.html Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf 0 problem(s) in your installed packages found. I haven't used portaudit, but it appears from the message that you can safely follow the instructions, which are to add the uuid (I assume that means the long id number on the url) to the 'portaudit-fixed' variable in /usr/local/etc/portaudit.conf ;) # Here's what I did next. man portaudit no help pkg_delete cvsup-without-gui-16.1h cd /usr/ports/net/cvsup-without-gui make install clean /usr/local/sbin/portaudit -Fda and get same output as above. Which wouldn't help; there does not appear to be a problem with cvsup your system, so reinstalling that wouldn't effect portaudit. I suspect you were correct, that it's a 'generic' warning, and can be worked around. HTH, -- Joshua Lokken Open Source Advocate ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports freeze and portaudit alerts
* Jacques Vidrine [EMAIL PROTECTED] [1027 17:27]: On Oct 10, 2004, at 3:43 PM, Dick Davies wrote: Shouldn't serious bugs (like the JPEG vuln in firefox for example) to override the freeze? What JPEG vuln in firefox? Sorry, that was from memory - I was thinking of the libpng hole (which of course isn't firefox specific). But I'm still seeing this: s known vulnerabilities: mozilla -- scripting vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/b2e6d1d6-1339-11d9-bc4a-000c41e2cdad.html Please update your ports tree and try again. *** Error code 1 -- What have you done to the cat? It looks half-dead. - Schroedinger's wife Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports freeze and portaudit alerts
On Tue, Oct 12, 2004 at 10:34:18AM +0100, Dick Davies wrote: * Jacques Vidrine [EMAIL PROTECTED] [1027 17:27]: On Oct 10, 2004, at 3:43 PM, Dick Davies wrote: Shouldn't serious bugs (like the JPEG vuln in firefox for example) to override the freeze? What JPEG vuln in firefox? Sorry, that was from memory - I was thinking of the libpng hole (which of course isn't firefox specific). But I'm still seeing this: s known vulnerabilities: mozilla -- scripting vulnerabilities. Reference: http://www.FreeBSD.org/ports/portaudit/b2e6d1d6-1339-11d9-bc4a-000c41e2cdad.html Please update your ports tree and try again. *** Error code 1 Yes, that's correct. Cheers, -- Jacques A Vidrine / NTT/Verio [EMAIL PROTECTED] / [EMAIL PROTECTED] / [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit and base system
Some output: bane# portaudit -F -a auditfile.tbz 100% of9 kB 24 kBps New database installed. Affected package: FreeBSD-491000 Type of problem: multiple vulnerabilities in the cvs server code. Reference: http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-00034 7a4fa7d.html Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/ portaudit.conf 0 problem(s) in your installed packages found. bane# uname -a FreeBSD bane.ventu 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #4: Fri Jul 9 20:38: 34 CEST 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/BANE i386 I though that bug had been corrected before 4.10-p2... Where does portaudit get that 491000? Same happens (mutatis mutanda) on 5.2.1 systems. bye Thanks av. smime.p7s Description: S/MIME Cryptographic Signature
Portaudit question
While running portaudit, I get the complaint; Affected package: FreeBSD-502010 Type of problem: multiple vulnerabilities in the cvs server code. Reference: http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf Am I to assume this is only if you run a cvs server? OR - does this relate to the SA's put out earlier this year about the src. -- Best regards, Chris Multiple-function gadgets will not perform any function adequately. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Portaudit question
On Wed, Sep 08, 2004 at 10:01:23AM -0500, Chris wrote: While running portaudit, I get the complaint; Affected package: FreeBSD-502010 Type of problem: multiple vulnerabilities in the cvs server code. Reference: http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf Am I to assume this is only if you run a cvs server? OR - does this relate to the SA's put out earlier this year about the src. Did you read the referenced portaudit page or any of the links supplied by it? There are several vulnerabilities, most of which affect the CVS server, but one fairly minor that affects the CVS client. The FreeBSD advisory SA-O4:07.cvs refers to a different problem: http://www.vuxml.org/freebsd/0792e7a7-8e37-11d8-90d1-0020ed76ef5a.html ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc As you can see, the VuXML entry you're getting warnings about is dated a month after the security advisory: http://www.vuxml.org/freebsd/d2102505-f03d-11d8-81b0-000347a4fa7d.html However, the update given in the security advisory is to a version of CVS unaffected by either vulnerability. Update your system to the latest patchlevel and the problem will be fixed. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpJcaR5lCWPz.pgp Description: PGP signature
Re: Portaudit question
Matthew Seaman wrote: On Wed, Sep 08, 2004 at 10:01:23AM -0500, Chris wrote: While running portaudit, I get the complaint; Affected package: FreeBSD-502010 Type of problem: multiple vulnerabilities in the cvs server code. Reference: http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.html Note: To disable this check add the uuid to `portaudit_fixed' in /usr/local/etc/portaudit.conf Am I to assume this is only if you run a cvs server? OR - does this relate to the SA's put out earlier this year about the src. Did you read the referenced portaudit page or any of the links supplied by it? There are several vulnerabilities, most of which affect the CVS server, but one fairly minor that affects the CVS client. The FreeBSD advisory SA-O4:07.cvs refers to a different problem: http://www.vuxml.org/freebsd/0792e7a7-8e37-11d8-90d1-0020ed76ef5a.html ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc As you can see, the VuXML entry you're getting warnings about is dated a month after the security advisory: http://www.vuxml.org/freebsd/d2102505-f03d-11d8-81b0-000347a4fa7d.html However, the update given in the security advisory is to a version of CVS unaffected by either vulnerability. Update your system to the latest patchlevel and the problem will be fixed. This has been done, 5.2.1-RELEASE-p9 -- Best regards, Chris Working capital doesn't. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Installing portaudit from ports
On Wed, May 05, 2004 at 11:25:35PM -0400, R. M. Los wrote: Dependency error: this port wants the OpenSSL library from the FreeBSD base system. You can't build against it, while a newer version is installed by a port. Please deinstall the port or undefine WITH_OPENSSL_BASE. Since I obviously don't want to do the first option, how would I go about doing the 2nd option? Where do you undefine WITH_OPENSSL_BASE?? It's undefined by default, but if you'ld defined it you have put the definition into /etc/make.conf or /usr/local/etc/pkgtools.conf WITH_OPENSSL_BASE is a flag for the security/openssl port which causes that port to overwrite the SSL shlibs and applications in the base system. That's not something to do without due care and attention as it can cause various problems. If you need the openssl port (which you probably don't as openssl is in the base system) think first of installing it under /usr/local. In this case, probably all you need to do is: # pkg_delete security/openssl then install portaudit, and then (if you're sure you need it) re-install security/openssl. Be warned: you might have to repeat that whole rigmarole every time an upgrade to portaudit comes out. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Installing portaudit from ports
Hi, I'm trying to install portaudit from ports, but get this error: Dependency error: this port wants the OpenSSL library from the FreeBSD base system. You can't build against it, while a newer version is installed by a port. Please deinstall the port or undefine WITH_OPENSSL_BASE. Since I obviously don't want to do the first option, how would I go about doing the 2nd option? Where do you undefine WITH_OPENSSL_BASE?? Thanks, -- Mr. R M Los - Information Security Consultant Ralph (at) boundariez (dot) com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit
hi, actually I have many fetchaudit daily script running from previous days: root1310 0.0 0.1 1088 536 ?? I 6Apr04 0:00.02 /bin/sh /usr/local/etc/periodic/daily/330.fetchaudit root 68392 0.0 0.1 1088 536 ?? I 7Apr04 0:00.02 /bin/sh /usr/local/etc/periodic/daily/330.fetchaudit root 75805 0.0 0.1 1088 536 ?? IFri03AM 0:00.02 /bin/sh /usr/local/etc/periodic/daily/330.fetchaudit root 30120 0.0 0.1 1088 536 ?? ISat03AM 0:00.02 /bin/sh /usr/local/etc/periodic/daily/330.fetchaudit root 84915 0.0 0.1 1088 536 ?? ISun03AM 0:00.02 /bin/sh /usr/local/etc/periodic/daily/330.fetchaudit looks liek the traffic is due to this because I Stopped hte processes and the traffic stopped as well... thanks Rick On Tue, 13 Apr 2004, Ion-Mihai Tetcu wrote: On Tue, 13 Apr 2004 14:04:04 -0600 (MDT) RJ45 [EMAIL PROTECTED] wrote: Hello, I installed portaudit. Since I installed it I noticed there are always ESTABLISHED connections to some ftp servers: tcp4 0 20 venus.51739freebsd.utcluj.r.ftp ESTABLISHED tcp4 0 20 venus.49718gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 6 venus.49706www.freebsd.cz.ftp ESTABLISHED tcp4 0 6 venus.49688gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 20 venus.49682ftp.jpix.ad.jp.ftp ESTABLISHED and I noticed I have a constant traffic rate on my ADSL link of about 20 Kb/sec inbound and 20 Kb/sec outbound, always day and night. is it normal? No. Edit /usr/local/etc/portaudit.conf and add something like: FETCH_BEFORE_ARGS=-vvv after that do a ps and kill -9 the fetchaudit (or portaudit) process. Watch your daily mail and send the output and the content of portaudit.conf. But I doubt the the output traffic is portaudit fault. -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit
this is the problem: fetch: ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/auditfile.tbz: Syntax error, command unrecognized I have my mailbox full of error like these over half gigs for each cron report and this is generating traffic thanks Rick On Tue, 13 Apr 2004, Ion-Mihai Tetcu wrote: On Tue, 13 Apr 2004 14:04:04 -0600 (MDT) RJ45 [EMAIL PROTECTED] wrote: Hello, I installed portaudit. Since I installed it I noticed there are always ESTABLISHED connections to some ftp servers: tcp4 0 20 venus.51739freebsd.utcluj.r.ftp ESTABLISHED tcp4 0 20 venus.49718gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 6 venus.49706www.freebsd.cz.ftp ESTABLISHED tcp4 0 6 venus.49688gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 20 venus.49682ftp.jpix.ad.jp.ftp ESTABLISHED and I noticed I have a constant traffic rate on my ADSL link of about 20 Kb/sec inbound and 20 Kb/sec outbound, always day and night. is it normal? No. Edit /usr/local/etc/portaudit.conf and add something like: FETCH_BEFORE_ARGS=-vvv after that do a ps and kill -9 the fetchaudit (or portaudit) process. Watch your daily mail and send the output and the content of portaudit.conf. But I doubt the the output traffic is portaudit fault. -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit
On Wed, 14 Apr 2004 12:30:58 -0600 (MDT) RJ45 [EMAIL PROTECTED] wrote: this is the problem: fetch: ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/auditfile.tbz: Syntax error, command unrecognized I have my mailbox full of error like these over half gigs for each cron report and this is generating traffic See my other mail. Give what I asked for. I cannot guess what is happening. Give the output of: # portaudit -Vd env FETCH_CMD='fetch -vvvp' portaudit -F -d thanks Rick -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
portaudit
Hello, I installed portaudit. Since I installed it I noticed there are always ESTABLISHED connections to some ftp servers: tcp4 0 20 venus.51739freebsd.utcluj.r.ftp ESTABLISHED tcp4 0 20 venus.49718gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 6 venus.49706www.freebsd.cz.ftp ESTABLISHED tcp4 0 6 venus.49688gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 20 venus.49682ftp.jpix.ad.jp.ftp ESTABLISHED and I noticed I have a constant traffic rate on my ADSL link of about 20 Kb/sec inbound and 20 Kb/sec outbound, always day and night. is it normal? thank you Rick ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: portaudit
On Tue, 13 Apr 2004 14:04:04 -0600 (MDT) RJ45 [EMAIL PROTECTED] wrote: Hello, I installed portaudit. Since I installed it I noticed there are always ESTABLISHED connections to some ftp servers: tcp4 0 20 venus.51739freebsd.utcluj.r.ftp ESTABLISHED tcp4 0 20 venus.49718gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 6 venus.49706www.freebsd.cz.ftp ESTABLISHED tcp4 0 6 venus.49688gort.ludd.ltu.se.ftp ESTABLISHED tcp4 0 20 venus.49682ftp.jpix.ad.jp.ftp ESTABLISHED and I noticed I have a constant traffic rate on my ADSL link of about 20 Kb/sec inbound and 20 Kb/sec outbound, always day and night. is it normal? No. Edit /usr/local/etc/portaudit.conf and add something like: FETCH_BEFORE_ARGS=-vvv after that do a ps and kill -9 the fetchaudit (or portaudit) process. Watch your daily mail and send the output and the content of portaudit.conf. But I doubt the the output traffic is portaudit fault. -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
