[CDBUG-talk] DISABLE_VULNERABILITIES=yes
Patrick Muldoon
doon at inoc.net
Mon Jan 11 23:25:38 EST 2016
Updating your ports tree is one thing but are you then upgrading all of your installed ports to fix the vulnerable ones?
After a portsnap fetch / update dance and reading of /usr/ports/upgrading you can do something like
portmaster -ad to update all your installed ports. This should update everything. I think you are running into the issue that your currently installed package/port is vulnerable and needs to be updated but by default make install will not update packages, iirc.
Patrick.
-----------------
Patrick Muldoon
Typed with my thumbs on a mobile device please excuse any errors.
> On Jan 11, 2016, at 11:12 PM, freebsd at fongaboo.com wrote:
>
>
> Hey folks... I was wondering if I could hit y'all up for some help or clarification on what I am running into when compiling Apache from ports.
>
> I'm running through a step-by-step tutorial for setting up a 'FAMP' box. And running into long compiles of ports that fail at the end, saying some library or another has a vulnerability. It suggests updating ports, which makes sense off the top of my head.
>
> But if you look below, it notes that you can add DISABLE_VULNERABILITIES=yes to the make command, and this indeed pushes the build through. But I don't know that ignoring vulnerabilities is really the best course of action.
>
> Here's where I should probably note that I am running this in a jail. In my understanding, the ports tree manifests within the jail as a read-only filesystem that is linked from the host filesystem. In my understanding, that means you can't update ports from within the jail.
>
> So I exit out of the jail, and from the host prompt I run:
>
> portsnap fetch
> portsnap extract
> portsnap update
>
> ...and this seems to complete successfully (at the host level).
>
> But when I go back into the jail and try to run the make command, it still fails out with the warning about vulnerabilities. Setting DISABLE_VULNERABILITIES=yes seems to be the only way to push it through.
>
> If I'm understanding what is going on, I shouldn't be comfortable compiling libraries with known vulnerabilities. Should getting ports properly updated indeed be my goal?
>
> Would anyone be able to clarify what I am encountering here and suggest the best way to proceed?
>
>
> Thanks,
>
> FONG
>
>
> ---------- Forwarded message ----------
> Date: Mon, 11 Jan 2016 22:40:43 -0500
> From: Dino Covelli <hey_you at dinocovelli.com>
> To: Jonathan Capra <fong at fongaboo.com>
> Subject: Apache Install Error
>
> ===> apache24-2.4.16 depends on executable: autoconf-2.69 - found
> ===> apache24-2.4.16 depends on executable: autoheader-2.69 - found
> ===> apache24-2.4.16 depends on executable: autoreconf-2.69 - found
> ===> apache24-2.4.16 depends on executable: aclocal-1.15 - found
> ===> apache24-2.4.16 depends on executable: automake-1.15 - found
> ===> apache24-2.4.16 depends on executable: libtoolize - found
> ===> apache24-2.4.16 depends on package: libiconv>=1.14_8 - found
> ===> apache24-2.4.16 depends on shared library: libexpat.so - found (/usr/local/lib/libexpat.so)
> ===> apache24-2.4.16 depends on shared library: libapr-1.so - found (/usr/local/lib/libapr-1.so)
> ===> apache24-2.4.16 depends on shared library: libpcre.so - not found
> ===> pcre-8.37_2 has known vulnerabilities:
> pcre-8.37_2 is vulnerable:
> pcre -- heap overflow vulnerability
> WWW: https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html
>
> pcre-8.37_2 is vulnerable:
> pcre -- heap overflow vulnerability in '(?|' situations
> WWW: https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html
>
> 1 problem(s) in the installed packages found.
> => Please update your ports tree and try again.
> => Note: Vulnerable ports are marked as such even if there is no update available.
> => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
> *** Error code 1
>
> Stop.
> make[1]: stopped in /basejail/usr/ports/devel/pcre
> *** Error code 1
>
> Stop.
> make: stopped in /basejail/usr/ports/www/apache24
>
> _______________________________________________
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/cdbug-talk
More information about the CDBUG-talk
mailing list