Portupgrading - portauditing

[George Katsanos]

Hello,

Your team is ALWAYS very helpful . It's the best support i've ever dealt with.

Question : How do i portupgrade , just the pkgs/ports that portaudit -a sais
have vulnerabilities,and not the whole thing?

Thank you


G.K.

[Chris]

George Katsanos wrote:

>
> Hello,
>
> Your team is ALWAYS very helpful . It's the best support i've ever dealt with.
>
> Question : How do i portupgrade , just the pkgs/ports that portaudit -a sais
> have vulnerabilities,and not the whole thing?
>
> Thank you
>
>
> G.K.

As someone pointed out, IE: portupgrade -rR firefox

--
Best regards,
Chris

If two wrongs don't make a right, try three.

[Chris Hodgins]

George Katsanos wrote:

>
> Hello,
>
> Your team is ALWAYS very helpful . It's the best support i've ever dealt with.
>
> Question : How do i portupgrade , just the pkgs/ports that portaudit -a sais
> have vulnerabilities,and not the whole thing?
>
> Thank you
>
>
> G.K.
> _______________________________________________
> [email]freebsd-questions@freebsd.org[/email] mailing list
> [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>

Are you after a way to do this automatically or just a way to do it
generally?

You basically want to run portaudit -a and portupgrade each "Affected
Package". You could probably script this quite easily:

for i in `portaudit -a | grep "Affected package:" | awk '{print $3}'`
do
portupgrade $FLAGS $i
done

Hope this is what you were after. :)
Chris

[Louis LeBlanc]

I wouldn't bother trying it like straight out if you're trying to get
the Firefox update. It still lists firefox as a vulnerability for
some reason. I had 1.7.5_1,2, which is the version it listed, but it
wouldn't let me upgrade to 1.0.1,1. I even tried listing the
vulnerability listed in portaudit.conf, but no change.

I finally gave up and deleted the db at
/var/db/portaudit/auditfile.tbz and then did the upgrade.

It still flags firefox as a vulnerability, even though the problem it
references is supposed to be explicitly fixed in the version I have
installed (window injection vulnerability).

Of course, you can the method described by another poster to get that
list, but I haven't been able to get portaudit to actually let me
upgrade. Even the portupgrade -f flag won't work and simply building
the port manually is also disabled for flagged ports.

Portaudit seems more a hard lockdown than a warning system. I think
either I am not understanding how to manage it yet, or it has a couple
issues that have not been hammered out yet. Manpages don't have much
detail about this issue. I haven't had a chance to check on the
existence of a bug report yet, because I want to hunt down all the
docs I can first.

Not that I don't think it's a great security tool! :)

Lou

On 02/26/05 04:42 PM, George Katsanos sat at the `puter and typed:

>
>
> Hello,
>
> Your team is ALWAYS very helpful . It's the best support i've ever dealt with.
>
> Question : How do i portupgrade , just the pkgs/ports that portaudit -a sais
> have vulnerabilities,and not the whole thing?
>
> Thank you
>
>
> G.K.
> _______________________________________________
> [email]freebsd-questions@freebsd.org[/email] mailing list
> [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>

--
Louis LeBlanc FreeBSD-at-keyslapper-DOT-net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
Please send off-list email to: leblanc at keyslapper d.t net
Key fingerprint = C5E7 4762 F071 CE3B ED51 4FB8 AF85 A2FE 80C8 D9A2

Too much is just enough.
-- Mark Twain, on whiskey

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCIL0cr4Wi/oDI2aIRArazAKCQcm8SRpQzAEtY6I4yXuPyUndEqQCgiP5t
2jD9M6nd+Y9zB6jLsAbMcZc=
=mWHN
-----END PGP SIGNATURE-----

[Nick Pavlica]

I believe if you do a portuprade -arR you will also upgrade any dependant ports.


On Sat, 26 Feb 2005 15:28:31 +0000, Chris Hodgins
<chodgins@cis.strath.ac.uk> wrote:

> George Katsanos wrote:

> >
> > Hello,
> >
> > Your team is ALWAYS very helpful . It's the best support i've ever dealt with.
> >
> > Question : How do i portupgrade , just the pkgs/ports that portaudit -a sais
> > have vulnerabilities,and not the whole thing?
> >
> > Thank you
> >
> >
> > G.K.
> > _______________________________________________
> > [email]freebsd-questions@freebsd.org[/email] mailing list
> > [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> >

>
> Are you after a way to do this automatically or just a way to do it
> generally?
>
> You basically want to run portaudit -a and portupgrade each "Affected
> Package". You could probably script this quite easily:
>
> for i in `portaudit -a | grep "Affected package:" | awk '{print $3}'`
> do
> portupgrade $FLAGS $i
> done
>
> Hope this is what you were after. :)
> Chris
>
> _______________________________________________
> [email]freebsd-questions@freebsd.org[/email] mailing list
> [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>

[epilogue]

> I finally gave up and deleted the db at
> /var/db/portaudit/auditfile.tbz and then did the upgrade.
>
> It still flags firefox as a vulnerability, even though the problem it
> references is supposed to be explicitly fixed in the version I have
> installed (window injection vulnerability).
>
> Of course, you can the method described by another poster to get that
> list, but I haven't been able to get portaudit to actually let me
> upgrade. Even the portupgrade -f flag won't work and simply building
> the port manually is also disabled for flagged ports.
>
> Portaudit seems more a hard lockdown than a warning system. I think
> either I am not understanding how to manage it yet, or it has a couple
> issues that have not been hammered out yet. Manpages don't have much
> detail about this issue. I haven't had a chance to check on the
> existence of a bug report yet, because I want to hunt down all the
> docs I can first.

no need to fiddle with portaudit, as these can be fed directly to make
or to portupgrade (with the -m flag).

building ports despite vulnerabilities:
-DDISABLE_VULNERABILITIES

building ports despite ignore:
-DNO_IGNORE

to my knowledge, these are not yet documented anywhere but here in the
mailing lists. i believe that the doc project is already looking to
integrate this info into the ports manpage (or somewhere else equally
sensible).

on the off chance that they lost sight of this target, i'm adding them
to cc. (: thank you docs team :)

hth.


cheers,
epi

[Louis LeBlanc]

On 02/26/05 03:25 PM, epilogue sat at the `puter and typed:

>

> > I finally gave up and deleted the db at
> > /var/db/portaudit/auditfile.tbz and then did the upgrade.
> >
> > It still flags firefox as a vulnerability, even though the problem it
> > references is supposed to be explicitly fixed in the version I have
> > installed (window injection vulnerability).
> >
> > Of course, you can the method described by another poster to get that
> > list, but I haven't been able to get portaudit to actually let me
> > upgrade. Even the portupgrade -f flag won't work and simply building
> > the port manually is also disabled for flagged ports.
> >
> > Portaudit seems more a hard lockdown than a warning system. I think
> > either I am not understanding how to manage it yet, or it has a couple
> > issues that have not been hammered out yet. Manpages don't have much
> > detail about this issue. I haven't had a chance to check on the
> > existence of a bug report yet, because I want to hunt down all the
> > docs I can first.

>
> no need to fiddle with portaudit, as these can be fed directly to make
> or to portupgrade (with the -m flag).
>
> building ports despite vulnerabilities:
> -DDISABLE_VULNERABILITIES
>
> building ports despite ignore:
> -DNO_IGNORE
>
> to my knowledge, these are not yet documented anywhere but here in the
> mailing lists. i believe that the doc project is already looking to
> integrate this info into the ports manpage (or somewhere else equally
> sensible).
>
> on the off chance that they lost sight of this target, i'm adding them
> to cc. (: thank you docs team :)
>
> hth.

Definitely. Thanks for the primer.

Lou
--
Louis LeBlanc FreeBSD-at-keyslapper-DOT-net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
Please send off-list email to: leblanc at keyslapper d.t net
Key fingerprint = C5E7 4762 F071 CE3B ED51 4FB8 AF85 A2FE 80C8 D9A2

Too much is just enough.
-- Mark Twain, on whiskey

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCIRz1r4Wi/oDI2aIRAuWyAJ9SCJq9tfq6yOk8gLwxXEwyPnqCrwCfSH2k
cfJRAjtXkQL0zhpTnfda4x0=
=d+rO
-----END PGP SIGNATURE-----