<p dir="ltr">unsubscribe</p>
<div class="gmail_quote">On Jan 12, 2016 12:00 PM, <<a href="mailto:cdbug-talk-request@lists.nycbug.org">cdbug-talk-request@lists.nycbug.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send CDBUG-talk mailing list submissions to<br>
<a href="mailto:cdbug-talk@lists.nycbug.org">cdbug-talk@lists.nycbug.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.nycbug.org/mailman/listinfo/cdbug-talk" rel="noreferrer" target="_blank">http://lists.nycbug.org/mailman/listinfo/cdbug-talk</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:cdbug-talk-request@lists.nycbug.org">cdbug-talk-request@lists.nycbug.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:cdbug-talk-owner@lists.nycbug.org">cdbug-talk-owner@lists.nycbug.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of CDBUG-talk digest..."<br>
<br>Today's Topics:<br>
<br>
1. DISABLE_VULNERABILITIES=yes (<a href="mailto:freebsd@fongaboo.com">freebsd@fongaboo.com</a>)<br>
2. Re: DISABLE_VULNERABILITIES=yes (Patrick Muldoon)<br>
3. Re: DISABLE_VULNERABILITIES=yes (Patrick Muldoon)<br>
<br><br>---------- Forwarded message ----------<br>From: <a href="mailto:freebsd@fongaboo.com">freebsd@fongaboo.com</a><br>To: CDBUG <<a href="mailto:cdbug-talk@lists.nycbug.org">cdbug-talk@lists.nycbug.org</a>><br>Cc: Dino Covelli <<a href="mailto:hey_you@dinocovelli.com">hey_you@dinocovelli.com</a>>, Paul Bliss <<a href="mailto:mechno@mechno.com">mechno@mechno.com</a>><br>Date: Mon, 11 Jan 2016 23:12:05 -0500 (EST)<br>Subject: [CDBUG-talk] DISABLE_VULNERABILITIES=yes<br><br>
Hey folks... I was wondering if I could hit y'all up for some help or clarification on what I am running into when compiling Apache from ports.<br>
<br>
I'm running through a step-by-step tutorial for setting up a 'FAMP' box. And running into long compiles of ports that fail at the end, saying some library or another has a vulnerability. It suggests updating ports, which makes sense off the top of my head.<br>
<br>
But if you look below, it notes that you can add DISABLE_VULNERABILITIES=yes to the make command, and this indeed pushes the build through. But I don't know that ignoring vulnerabilities is really the best course of action.<br>
<br>
Here's where I should probably note that I am running this in a jail. In my understanding, the ports tree manifests within the jail as a read-only filesystem that is linked from the host filesystem. In my understanding, that means you can't update ports from within the jail.<br>
<br>
So I exit out of the jail, and from the host prompt I run:<br>
<br>
portsnap fetch<br>
portsnap extract<br>
portsnap update<br>
<br>
...and this seems to complete successfully (at the host level).<br>
<br>
But when I go back into the jail and try to run the make command, it still fails out with the warning about vulnerabilities. Setting DISABLE_VULNERABILITIES=yes seems to be the only way to push it through.<br>
<br>
If I'm understanding what is going on, I shouldn't be comfortable compiling libraries with known vulnerabilities. Should getting ports properly updated indeed be my goal?<br>
<br>
Would anyone be able to clarify what I am encountering here and suggest the best way to proceed?<br>
<br>
<br>
Thanks,<br>
<br>
FONG<br>
<br>
<br>
---------- Forwarded message ----------<br>
Date: Mon, 11 Jan 2016 22:40:43 -0500<br>
From: Dino Covelli <<a href="mailto:hey_you@dinocovelli.com" target="_blank">hey_you@dinocovelli.com</a>><br>
To: Jonathan Capra <<a href="mailto:fong@fongaboo.com" target="_blank">fong@fongaboo.com</a>><br>
Subject: Apache Install Error<br>
<br>
===> apache24-2.4.16 depends on executable: autoconf-2.69 - found<br>
===> apache24-2.4.16 depends on executable: autoheader-2.69 - found<br>
===> apache24-2.4.16 depends on executable: autoreconf-2.69 - found<br>
===> apache24-2.4.16 depends on executable: aclocal-1.15 - found<br>
===> apache24-2.4.16 depends on executable: automake-1.15 - found<br>
===> apache24-2.4.16 depends on executable: libtoolize - found<br>
===> apache24-2.4.16 depends on package: libiconv>=1.14_8 - found<br>
===> apache24-2.4.16 depends on shared library: libexpat.so - found (/usr/local/lib/libexpat.so)<br>
===> apache24-2.4.16 depends on shared library: libapr-1.so - found (/usr/local/lib/libapr-1.so)<br>
===> apache24-2.4.16 depends on shared library: libpcre.so - not found<br>
===> pcre-8.37_2 has known vulnerabilities:<br>
pcre-8.37_2 is vulnerable:<br>
pcre -- heap overflow vulnerability<br>
WWW: <a href="https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html" rel="noreferrer" target="_blank">https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html</a><br>
<br>
pcre-8.37_2 is vulnerable:<br>
pcre -- heap overflow vulnerability in '(?|' situations<br>
WWW: <a href="https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html" rel="noreferrer" target="_blank">https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html</a><br>
<br>
1 problem(s) in the installed packages found.<br>
=> Please update your ports tree and try again.<br>
=> Note: Vulnerable ports are marked as such even if there is no update available.<br>
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'<br>
*** Error code 1<br>
<br>
Stop.<br>
make[1]: stopped in /basejail/usr/ports/devel/pcre<br>
*** Error code 1<br>
<br>
Stop.<br>
make: stopped in /basejail/usr/ports/www/apache24<br>
<br>
<br>
<br><br>---------- Forwarded message ----------<br>From: Patrick Muldoon <<a href="mailto:doon@inoc.net">doon@inoc.net</a>><br>To: <a href="mailto:freebsd@fongaboo.com">freebsd@fongaboo.com</a><br>Cc: CDBUG <<a href="mailto:cdbug-talk@lists.nycbug.org">cdbug-talk@lists.nycbug.org</a>>, Dino Covelli <<a href="mailto:hey_you@dinocovelli.com">hey_you@dinocovelli.com</a>>, Paul Bliss <<a href="mailto:mechno@mechno.com">mechno@mechno.com</a>><br>Date: Mon, 11 Jan 2016 23:25:38 -0500<br>Subject: Re: [CDBUG-talk] DISABLE_VULNERABILITIES=yes<br>Updating your ports tree is one thing but are you then upgrading all of your installed ports to fix the vulnerable ones?<br>
<br>
After a portsnap fetch / update dance and reading of /usr/ports/upgrading you can do something like<br>
<br>
portmaster -ad to update all your installed ports. This should update everything. I think you are running into the issue that your currently installed package/port is vulnerable and needs to be updated but by default make install will not update packages, iirc.<br>
<br>
Patrick.<br>
<br>
<br>
-----------------<br>
Patrick Muldoon<br>
<br>
Typed with my thumbs on a mobile device please excuse any errors.<br>
<br>
> On Jan 11, 2016, at 11:12 PM, <a href="mailto:freebsd@fongaboo.com">freebsd@fongaboo.com</a> wrote:<br>
><br>
><br>
> Hey folks... I was wondering if I could hit y'all up for some help or clarification on what I am running into when compiling Apache from ports.<br>
><br>
> I'm running through a step-by-step tutorial for setting up a 'FAMP' box. And running into long compiles of ports that fail at the end, saying some library or another has a vulnerability. It suggests updating ports, which makes sense off the top of my head.<br>
><br>
> But if you look below, it notes that you can add DISABLE_VULNERABILITIES=yes to the make command, and this indeed pushes the build through. But I don't know that ignoring vulnerabilities is really the best course of action.<br>
><br>
> Here's where I should probably note that I am running this in a jail. In my understanding, the ports tree manifests within the jail as a read-only filesystem that is linked from the host filesystem. In my understanding, that means you can't update ports from within the jail.<br>
><br>
> So I exit out of the jail, and from the host prompt I run:<br>
><br>
> portsnap fetch<br>
> portsnap extract<br>
> portsnap update<br>
><br>
> ...and this seems to complete successfully (at the host level).<br>
><br>
> But when I go back into the jail and try to run the make command, it still fails out with the warning about vulnerabilities. Setting DISABLE_VULNERABILITIES=yes seems to be the only way to push it through.<br>
><br>
> If I'm understanding what is going on, I shouldn't be comfortable compiling libraries with known vulnerabilities. Should getting ports properly updated indeed be my goal?<br>
><br>
> Would anyone be able to clarify what I am encountering here and suggest the best way to proceed?<br>
><br>
><br>
> Thanks,<br>
><br>
> FONG<br>
><br>
><br>
> ---------- Forwarded message ----------<br>
> Date: Mon, 11 Jan 2016 22:40:43 -0500<br>
> From: Dino Covelli <<a href="mailto:hey_you@dinocovelli.com">hey_you@dinocovelli.com</a>><br>
> To: Jonathan Capra <<a href="mailto:fong@fongaboo.com">fong@fongaboo.com</a>><br>
> Subject: Apache Install Error<br>
><br>
> ===> apache24-2.4.16 depends on executable: autoconf-2.69 - found<br>
> ===> apache24-2.4.16 depends on executable: autoheader-2.69 - found<br>
> ===> apache24-2.4.16 depends on executable: autoreconf-2.69 - found<br>
> ===> apache24-2.4.16 depends on executable: aclocal-1.15 - found<br>
> ===> apache24-2.4.16 depends on executable: automake-1.15 - found<br>
> ===> apache24-2.4.16 depends on executable: libtoolize - found<br>
> ===> apache24-2.4.16 depends on package: libiconv>=1.14_8 - found<br>
> ===> apache24-2.4.16 depends on shared library: libexpat.so - found (/usr/local/lib/libexpat.so)<br>
> ===> apache24-2.4.16 depends on shared library: libapr-1.so - found (/usr/local/lib/libapr-1.so)<br>
> ===> apache24-2.4.16 depends on shared library: libpcre.so - not found<br>
> ===> pcre-8.37_2 has known vulnerabilities:<br>
> pcre-8.37_2 is vulnerable:<br>
> pcre -- heap overflow vulnerability<br>
> WWW: <a href="https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html" rel="noreferrer" target="_blank">https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html</a><br>
><br>
> pcre-8.37_2 is vulnerable:<br>
> pcre -- heap overflow vulnerability in '(?|' situations<br>
> WWW: <a href="https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html" rel="noreferrer" target="_blank">https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html</a><br>
><br>
> 1 problem(s) in the installed packages found.<br>
> => Please update your ports tree and try again.<br>
> => Note: Vulnerable ports are marked as such even if there is no update available.<br>
> => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'<br>
> *** Error code 1<br>
><br>
> Stop.<br>
> make[1]: stopped in /basejail/usr/ports/devel/pcre<br>
> *** Error code 1<br>
><br>
> Stop.<br>
> make: stopped in /basejail/usr/ports/www/apache24<br>
><br>
> _______________________________________________<br>
> CDBUG-talk mailing list<br>
> <a href="mailto:CDBUG-talk@lists.nycbug.org">CDBUG-talk@lists.nycbug.org</a><br>
> <a href="http://lists.nycbug.org/mailman/listinfo/cdbug-talk" rel="noreferrer" target="_blank">http://lists.nycbug.org/mailman/listinfo/cdbug-talk</a><br>
<br>
<br>
<br><br>---------- Forwarded message ----------<br>From: Patrick Muldoon <<a href="mailto:doon@inoc.net">doon@inoc.net</a>><br>To: <a href="mailto:freebsd@fongaboo.com">freebsd@fongaboo.com</a>, CDBUG <<a href="mailto:cdbug-talk@lists.nycbug.org">cdbug-talk@lists.nycbug.org</a>><br>Cc: Paul Bliss <<a href="mailto:mechno@mechno.com">mechno@mechno.com</a>>, Dino Covelli <<a href="mailto:hey_you@dinocovelli.com">hey_you@dinocovelli.com</a>><br>Date: Tue, 12 Jan 2016 08:03:13 -0500<br>Subject: Re: [CDBUG-talk] DISABLE_VULNERABILITIES=yes<br><br>
> On Jan 11, 2016, at 11:25 PM, Patrick Muldoon <<a href="mailto:doon@inoc.net">doon@inoc.net</a>> wrote:<br>
><br>
> Updating your ports tree is one thing but are you then upgrading all of your installed ports to fix the vulnerable ones?<br>
><br>
> After a portsnap fetch / update dance and reading of /usr/ports/upgrading you can do something like<br>
><br>
<br>
that should have read the reading of /usr/ports/UPDATING /sigh<br>
<br>
But the rest stands, unless you upgrading your installed ports you probably have vulnerable packages installed on your system<br>
<br>
pkg audit -F<br>
<br>
will show you which ones are vulnerable<br>
<br>
and i like using portmaster (/usr/ports/ports-mgmt/portmaster/)<br>
<br>
for ports management / upgrades<br>
<br>
but there is also portupgrade (/usr/ports/ports-mgmt/portupgrade)<br>
<br>
<br>
on this same note I have<br>
<br>
@daily root freebsd-update cron<br>
0 3 * * * root portsnap -I cron update && pkg version -vIL=<br>
<br>
in cron, so that it shows me all the the outdated / updated packages daily.. You can also throw a pkg audit in there as well<br>
<br>
-Patrick<br>
<br>
<br>
--<br>
Patrick Muldoon<br>
Network/Software Engineer<br>
INOC (<a href="http://www.inoc.net" rel="noreferrer" target="_blank">http://www.inoc.net</a>)<br>
<br>
'Truly, you have a dizzying intellect.' - Westley, The Princess Bride<br>
<br>
<br>_______________________________________________<br>
CDBUG-talk mailing list<br>
<a href="mailto:CDBUG-talk@lists.nycbug.org">CDBUG-talk@lists.nycbug.org</a><br>
<a href="http://lists.nycbug.org/mailman/listinfo/cdbug-talk" rel="noreferrer" target="_blank">http://lists.nycbug.org/mailman/listinfo/cdbug-talk</a><br></blockquote></div>