[CDBUG-talk] DISABLE_VULNERABILITIES=yes
freebsd at fongaboo.com
freebsd at fongaboo.com
Mon Jan 11 23:12:05 EST 2016
Hey folks... I was wondering if I could hit y'all up for some help or
clarification on what I am running into when compiling Apache from ports.
I'm running through a step-by-step tutorial for setting up a 'FAMP' box.
And running into long compiles of ports that fail at the end, saying some
library or another has a vulnerability. It suggests updating ports, which
makes sense off the top of my head.
But if you look below, it notes that you can add
DISABLE_VULNERABILITIES=yes to the make command, and this
indeed pushes the build through. But I don't know that ignoring
vulnerabilities is really the best course of action.
Here's where I should probably note that I am running this in a jail. In
my understanding, the ports tree manifests within the jail as a read-only
filesystem that is linked from the host filesystem. In my understanding,
that means you can't update ports from within the jail.
So I exit out of the jail, and from the host prompt I run:
portsnap fetch
portsnap extract
portsnap update
...and this seems to complete successfully (at the host level).
But when I go back into the jail and try to run the make command, it still
fails out with the warning about vulnerabilities. Setting
DISABLE_VULNERABILITIES=yes seems to be the only way to push it through.
If I'm understanding what is going on, I shouldn't be comfortable
compiling libraries with known vulnerabilities. Should getting ports
properly updated indeed be my goal?
Would anyone be able to clarify what I am encountering here and suggest
the best way to proceed?
Thanks,
FONG
---------- Forwarded message ----------
Date: Mon, 11 Jan 2016 22:40:43 -0500
From: Dino Covelli <hey_you at dinocovelli.com>
To: Jonathan Capra <fong at fongaboo.com>
Subject: Apache Install Error
===> apache24-2.4.16 depends on executable: autoconf-2.69 - found
===> apache24-2.4.16 depends on executable: autoheader-2.69 - found
===> apache24-2.4.16 depends on executable: autoreconf-2.69 - found
===> apache24-2.4.16 depends on executable: aclocal-1.15 - found
===> apache24-2.4.16 depends on executable: automake-1.15 - found
===> apache24-2.4.16 depends on executable: libtoolize - found
===> apache24-2.4.16 depends on package: libiconv>=1.14_8 - found
===> apache24-2.4.16 depends on shared library: libexpat.so - found (/usr/local/lib/libexpat.so)
===> apache24-2.4.16 depends on shared library: libapr-1.so - found (/usr/local/lib/libapr-1.so)
===> apache24-2.4.16 depends on shared library: libpcre.so - not found
===> pcre-8.37_2 has known vulnerabilities:
pcre-8.37_2 is vulnerable:
pcre -- heap overflow vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html
pcre-8.37_2 is vulnerable:
pcre -- heap overflow vulnerability in '(?|' situations
WWW: https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html
1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1
Stop.
make[1]: stopped in /basejail/usr/ports/devel/pcre
*** Error code 1
Stop.
make: stopped in /basejail/usr/ports/www/apache24
More information about the CDBUG-talk
mailing list