search for: portaudit

Hello, One of my machines I got a report about 3 vulnerable packages (php4, ruby, openssl) in tomorrows security run output, but in today's security run output all of them disappeared, but nobody upgraded or removed the affected packages. I reinstalled portaudit, refreshd its database, but now it reports 0 affected pakages. The pkg_info command lists that three packages, so they are still installed. Does anybody suspect what's wrong? Cheers, Gabor Kovesdan

...in the official FreeBSD vulnerability database. > > The vulnerability database is meant to be comprehensive and > informational. It is not a policy document. I guess it is supposed to be processed by automated tools? It needs a clearly defined policy, an informal document is useless for portaudit. >>>I'd prefer to reserve FORBIDDEN for those cases where the ports >>>present some danger. Those who want a more strict policy can use >>>portaudit or similar, right? >> >>I guess we have to add a severity tag then, to enable `soft' >>vulnerab...

Any reason why portaudit and its associated infrastructure was not announced to this list or security-notifications? I recently discovered it, and discovered the feature was added to bsd.port.mk in the beginning of feburary. Seeing as the security officer apparently (without announcement) no longer issues security notice...

Hello! Yesterday portaudit notified me about squid's vulnerability, but today it didn't (despite I haven't upgraded squid). This has attracted my attention, so I've compared yesterday's and today's auditfile.tbz: -r--r--r-- 1 root wheel 29875 Sep 6 15:40 auditfile.tbz vs. -r--r--r-- 1 root w...

December 18, 2007 Dear Madam, dear Sir, the portaudit database is very small: >portaudit -F auditfile.tbz 100% of 5688 B 9737 Bps New database installed. > In addition, portaudit does not complain about what it did complain a few days ago. It seems to me that the database is truncated. By the way: How do I post to a mail...

Dear porters and port users, I've added a new port security/portaudit-db that complements security/portaudit for users that have a current ports tree and want to generate the portaudit database themselves, possibly distributing it over their local network. This will save you the traffic downloading information that is already on your local machine and avoid the la...

Dear members, It may sound a silly question. I have curl installed: # pkg_info |grep curl curl-7.24.0_3 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) Today portsnap updated the ftp/curl port, and patch-CVE-2013-2174 appeared in files/, but the port version remained such that portaudit, and portupgrade still complain about curl's version. What is the recommended way to upgrade the package? # portupgrade curl-7.24.0_3 ---> Upgrading 'curl-7.24.0_3' to 'curl-7.24.0_4' (ftp/curl) ---> Building '/usr/ports/ftp/curl' ===> Cleaning for curl-7....

Old Synopsis: portaudit doesn't report about all security bugs New Synopsis: security/portaudit doesn't report about all security bugs Responsible-Changed-From-To: freebsd-ports-bugs->freebsd-security Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jul 29 21:37:38 GMT 2005 Responsible-Changed-Why...

...mysql40-client port currently reports a security problem when I try to install it: neely:/usr/ports/databases/mysql40-client$ make ===> mysql-client-4.0.18_1 has known vulnerabilities: >> MySQL insecure temporary file creation (mysqlbug). Reference: <http://people.freebsd.org/~eik/portaudit/2e129846-8fbb-11d8-8b29-0020ed76ef5a.html> >> Please update your ports tree and try again. This is a minor problem affecting only the 'mysqlbug' script, not core mysql client functionality. We may not see a fix in the MySQL distribution until 4.0.19. Is there a way to force inst...

Hi! cc'd to freebsd-security@ as somebody there may correct me, cc'd to secteam@ as maintaner of security/portaudit. On Sun, 28 Aug 2005 10:14:21 +0930 Ian Moore wrote: > I've just updated my acroread port to 7.0.1 & was surprised when portaudit > still listed it as a vulnerability. I think it is portaudit problem. > According to http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/85093, the...

...has been corrected by ache@FreeBSD.org yesterday. But when i try to install the updated port to remplace the vulnerable one this is what i am told : # make install ===> png-1.2.5_4 has known vulnerabilities: >> libpng denial-of-service. Reference: <http://people.freebsd.org/~eik/portaudit/3a408f6f-9c52-11d8-9366-0020ed76ef5a.html> >> Please update your ports tree and try again. *** Error code 1 The 4-STABLE ports tree is up-to-date. Isn't it a problem to be unable to update a vulnerable port ? -- Best regards, Artur Pydo.

...ith jails and critical applications like administrative ldap e high webservers. Correct issue in large enviroment is a tormento, and result in full downtime, what the recomendation for security update in large enviroment with jail ? About Ports security issues, one idea is integrate portaudit and portupgrade or create another tool for update ports, this ideia is based in Gentoo glsa-check ( http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14 ) Thanks for Attention and sorry for my bad english. Ricardo A. Reis UNIFESP Unix and Network Admin ____________...

Hello! Port security/portaudit reports the following problem: Affected package: FreeBSD-491000 Type of problem: multiple vulnerabilities in the cvs server code. Reference: <http://www.FreeBSD.org/ports/portaudit/d2102505-f03d-11d8-81b0-000347a4fa7d.htm l> Note: To disable this check add the uuid to `portaudit_fixed' i...

...vider? I''ve got a "portinstall" macro that encompasses make, portinstall, and pkg_add... but am still grappling with but I''m getting hung up on how to write a ''postinstall'' script that executes a (set of)? command(s)?, but only does this once. portaudit being my guinea pig. I''m still using periodic (though it''s feeling pretty outmoded at this point in time) and am using a definition like: class package-portaudit { # package { portaudit: ensure => present, provider => freebsd } portinstall { portaudit:...

I think, there is a neat exploit in the phpbb2.0.8 because I found my home page defaced one dark morning. The patch for phpBB is here. http://www.phpbb.com/downloads.php The excerpt of the log is attached. I believe the link to the described exploit is here. http://secunia.com/advisories/13239 The defacement braggen page is here filter to show the exploited FreeBSD machines that aneurysm.inc

.../win32-codecs Makefile distinfo pkg-plist > Log: > - Add the REALPLAYER and QUICKTIME(off) OPTIONS. If QUICKTIME OPTION is off, > this port could install without problem of vulnerabilities. > - Bump PORTREVISION > - Other few modifications Thanks, that's great, however portaudit's vulnerabilities database still lists the port as vulnerable: http://www.FreeBSD.org/ports/portaudit/24f6b1eb-43d5-11db-81e1-000e0c2e438a.html Affects: * win32-codecs >0 I wonder whether it's possible to list the port there conditionally (e.g. only if QUICKTIME option is 'o...

...t;URL:http://www.vuxml.org/freebsd/rss.xml>, allowing one to keep informed using an RSS reader such as Straw. Some tools that use VuXML are available in the FreeBSD Ports Collection. `vxquery' (ports/security/vxquery) is a simple command line tool that parses the VuXML document directly. `portaudit' (ports/security/portaudit) uses a `distilled' version of the FreeBSD VuXML document to report which of your installed ports may be affected by security issues, as well as providing additional warnings when attempting to install ports. A mailing list has been established for the discussion...

...o not find the "knob" to switch it off. Can someone give a hint, please? Regards, Oliver ===> Cleaning for ruby-1.9.3.392,1 ===> ruby-1.9.3.392,1 has known vulnerabilities: ruby-1.9.3.392,1 is vulnerable: Ruby -- XSS exploit of RDoc documentation generated by rdoc WWW: http://portaudit.FreeBSD.org/d3e96508-056b-4259-88ad-50dc8d1978a6.html ruby-1.9.3.392,1 is vulnerable: Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON WWW: http://portaudit.FreeBSD.org/c79eb109-a754-45d7-b552-a42099eb2265.html => Please update your ports tree and try again. *** [chec...

...insync --server example.net I got the following output: notice: /File[/var/puppet/lib/puppet/provider/portupgradepp.rb]/ content: content changed ''{md5}b0a26e0cf8d707e2d1e391e60a11c5f7'' to ''{md5}7d9343154d1279da4b662068c24301f4'' notice: /Stage[main]/Test/Package[portaudit]/ensure: created notice: /Stage[main]/Test/Package[ruby]/ensure: created notice: Finished catalog run in 6.02 seconds I reran the command, and got the following output: err: Could not run Puppet configuration client: Parameter provider failed: Invalid package provider ''portupgradepp'...

Hi, FYI, Red Hat released an advisory today about a vulnerability in Ruby. So far it doesn't appear in the VuXML, but am I correct in presuming it will soon? https://rhn.redhat.com/errata/RHSA-2006-0604.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3694 cheers, -- Joel Hatton -- Infrastructure Manager | Hotline: +61 7 3365 4417 AusCERT - Australia's national