[CDBUG-talk] Unsubscribe

T.B. Davis tbdavis at greyshirt.net
Tue Jan 12 14:52:44 EST 2016


unsubscribe
On Jan 12, 2016 12:00 PM, <cdbug-talk-request at lists.nycbug.org> wrote:

> Send CDBUG-talk mailing list submissions to
>         cdbug-talk at lists.nycbug.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.nycbug.org/mailman/listinfo/cdbug-talk
> or, via email, send a message with subject or body 'help' to
>         cdbug-talk-request at lists.nycbug.org
>
> You can reach the person managing the list at
>         cdbug-talk-owner at lists.nycbug.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CDBUG-talk digest..."
>
> Today's Topics:
>
>    1. DISABLE_VULNERABILITIES=yes (freebsd at fongaboo.com)
>    2. Re: DISABLE_VULNERABILITIES=yes (Patrick Muldoon)
>    3. Re: DISABLE_VULNERABILITIES=yes (Patrick Muldoon)
>
>
> ---------- Forwarded message ----------
> From: freebsd at fongaboo.com
> To: CDBUG <cdbug-talk at lists.nycbug.org>
> Cc: Dino Covelli <hey_you at dinocovelli.com>, Paul Bliss <mechno at mechno.com>
> Date: Mon, 11 Jan 2016 23:12:05 -0500 (EST)
> Subject: [CDBUG-talk] DISABLE_VULNERABILITIES=yes
>
> Hey folks... I was wondering if I could hit y'all up for some help or
> clarification on what I am running into when compiling Apache from ports.
>
> I'm running through a step-by-step tutorial for setting up a 'FAMP' box.
> And running into long compiles of ports that fail at the end, saying some
> library or another has a vulnerability. It suggests updating ports, which
> makes sense off the top of my head.
>
> But if you look below, it notes that you can add
> DISABLE_VULNERABILITIES=yes to the make command, and this indeed pushes the
> build through. But I don't know that ignoring vulnerabilities is really the
> best course of action.
>
> Here's where I should probably note that I am running this in a jail. In
> my understanding, the ports tree manifests within the jail as a read-only
> filesystem that is linked from the host filesystem. In my understanding,
> that means you can't update ports from within the jail.
>
> So I exit out of the jail, and from the host prompt I run:
>
> portsnap fetch
> portsnap extract
> portsnap update
>
> ...and this seems to complete successfully (at the host level).
>
> But when I go back into the jail and try to run the make command, it still
> fails out with the warning about vulnerabilities. Setting
> DISABLE_VULNERABILITIES=yes seems to be the only way to push it through.
>
> If I'm understanding what is going on, I shouldn't be comfortable
> compiling libraries with known vulnerabilities. Should getting ports
> properly updated indeed be my goal?
>
> Would anyone be able to clarify what I am encountering here and suggest
> the best way to proceed?
>
>
> Thanks,
>
> FONG
>
>
> ---------- Forwarded message ----------
> Date: Mon, 11 Jan 2016 22:40:43 -0500
> From: Dino Covelli <hey_you at dinocovelli.com>
> To: Jonathan Capra <fong at fongaboo.com>
> Subject: Apache Install Error
>
> ===>   apache24-2.4.16 depends on executable: autoconf-2.69 - found
> ===>   apache24-2.4.16 depends on executable: autoheader-2.69 - found
> ===>   apache24-2.4.16 depends on executable: autoreconf-2.69 - found
> ===>   apache24-2.4.16 depends on executable: aclocal-1.15 - found
> ===>   apache24-2.4.16 depends on executable: automake-1.15 - found
> ===>   apache24-2.4.16 depends on executable: libtoolize - found
> ===>   apache24-2.4.16 depends on package: libiconv>=1.14_8 - found
> ===>   apache24-2.4.16 depends on shared library: libexpat.so - found
> (/usr/local/lib/libexpat.so)
> ===>   apache24-2.4.16 depends on shared library: libapr-1.so - found
> (/usr/local/lib/libapr-1.so)
> ===>   apache24-2.4.16 depends on shared library: libpcre.so - not found
> ===>  pcre-8.37_2 has known vulnerabilities:
> pcre-8.37_2 is vulnerable:
> pcre -- heap overflow vulnerability
> WWW:
> https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html
>
> pcre-8.37_2 is vulnerable:
> pcre -- heap overflow vulnerability in '(?|' situations
> WWW:
> https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html
>
> 1 problem(s) in the installed packages found.
> => Please update your ports tree and try again.
> => Note: Vulnerable ports are marked as such even if there is no update
> available.
> => If you wish to ignore this vulnerability rebuild with 'make
> DISABLE_VULNERABILITIES=yes'
> *** Error code 1
>
> Stop.
> make[1]: stopped in /basejail/usr/ports/devel/pcre
> *** Error code 1
>
> Stop.
> make: stopped in /basejail/usr/ports/www/apache24
>
>
>
>
> ---------- Forwarded message ----------
> From: Patrick Muldoon <doon at inoc.net>
> To: freebsd at fongaboo.com
> Cc: CDBUG <cdbug-talk at lists.nycbug.org>, Dino Covelli <
> hey_you at dinocovelli.com>, Paul Bliss <mechno at mechno.com>
> Date: Mon, 11 Jan 2016 23:25:38 -0500
> Subject: Re: [CDBUG-talk] DISABLE_VULNERABILITIES=yes
> Updating your ports tree is one thing but are you then upgrading all of
> your installed ports to fix the vulnerable ones?
>
> After a portsnap fetch / update dance  and reading of /usr/ports/upgrading
> you can do something like
>
> portmaster -ad to update all your installed ports.  This should update
> everything. I think you are running into the issue that your currently
> installed package/port  is vulnerable and needs to be updated but by
> default make install will not update packages, iirc.
>
> Patrick.
>
>
> -----------------
> Patrick Muldoon
>
> Typed with my thumbs on a mobile device please excuse any errors.
>
> > On Jan 11, 2016, at 11:12 PM, freebsd at fongaboo.com wrote:
> >
> >
> > Hey folks... I was wondering if I could hit y'all up for some help or
> clarification on what I am running into when compiling Apache from ports.
> >
> > I'm running through a step-by-step tutorial for setting up a 'FAMP' box.
> And running into long compiles of ports that fail at the end, saying some
> library or another has a vulnerability. It suggests updating ports, which
> makes sense off the top of my head.
> >
> > But if you look below, it notes that you can add
> DISABLE_VULNERABILITIES=yes to the make command, and this indeed pushes the
> build through. But I don't know that ignoring vulnerabilities is really the
> best course of action.
> >
> > Here's where I should probably note that I am running this in a jail. In
> my understanding, the ports tree manifests within the jail as a read-only
> filesystem that is linked from the host filesystem. In my understanding,
> that means you can't update ports from within the jail.
> >
> > So I exit out of the jail, and from the host prompt I run:
> >
> > portsnap fetch
> > portsnap extract
> > portsnap update
> >
> > ...and this seems to complete successfully (at the host level).
> >
> > But when I go back into the jail and try to run the make command, it
> still fails out with the warning about vulnerabilities. Setting
> DISABLE_VULNERABILITIES=yes seems to be the only way to push it through.
> >
> > If I'm understanding what is going on, I shouldn't be comfortable
> compiling libraries with known vulnerabilities. Should getting ports
> properly updated indeed be my goal?
> >
> > Would anyone be able to clarify what I am encountering here and suggest
> the best way to proceed?
> >
> >
> > Thanks,
> >
> > FONG
> >
> >
> > ---------- Forwarded message ----------
> > Date: Mon, 11 Jan 2016 22:40:43 -0500
> > From: Dino Covelli <hey_you at dinocovelli.com>
> > To: Jonathan Capra <fong at fongaboo.com>
> > Subject: Apache Install Error
> >
> > ===>   apache24-2.4.16 depends on executable: autoconf-2.69 - found
> > ===>   apache24-2.4.16 depends on executable: autoheader-2.69 - found
> > ===>   apache24-2.4.16 depends on executable: autoreconf-2.69 - found
> > ===>   apache24-2.4.16 depends on executable: aclocal-1.15 - found
> > ===>   apache24-2.4.16 depends on executable: automake-1.15 - found
> > ===>   apache24-2.4.16 depends on executable: libtoolize - found
> > ===>   apache24-2.4.16 depends on package: libiconv>=1.14_8 - found
> > ===>   apache24-2.4.16 depends on shared library: libexpat.so - found
> (/usr/local/lib/libexpat.so)
> > ===>   apache24-2.4.16 depends on shared library: libapr-1.so - found
> (/usr/local/lib/libapr-1.so)
> > ===>   apache24-2.4.16 depends on shared library: libpcre.so - not found
> > ===>  pcre-8.37_2 has known vulnerabilities:
> > pcre-8.37_2 is vulnerable:
> > pcre -- heap overflow vulnerability
> > WWW:
> https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html
> >
> > pcre-8.37_2 is vulnerable:
> > pcre -- heap overflow vulnerability in '(?|' situations
> > WWW:
> https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html
> >
> > 1 problem(s) in the installed packages found.
> > => Please update your ports tree and try again.
> > => Note: Vulnerable ports are marked as such even if there is no update
> available.
> > => If you wish to ignore this vulnerability rebuild with 'make
> DISABLE_VULNERABILITIES=yes'
> > *** Error code 1
> >
> > Stop.
> > make[1]: stopped in /basejail/usr/ports/devel/pcre
> > *** Error code 1
> >
> > Stop.
> > make: stopped in /basejail/usr/ports/www/apache24
> >
> > _______________________________________________
> > CDBUG-talk mailing list
> > CDBUG-talk at lists.nycbug.org
> > http://lists.nycbug.org/mailman/listinfo/cdbug-talk
>
>
>
>
> ---------- Forwarded message ----------
> From: Patrick Muldoon <doon at inoc.net>
> To: freebsd at fongaboo.com, CDBUG <cdbug-talk at lists.nycbug.org>
> Cc: Paul Bliss <mechno at mechno.com>, Dino Covelli <hey_you at dinocovelli.com>
> Date: Tue, 12 Jan 2016 08:03:13 -0500
> Subject: Re: [CDBUG-talk] DISABLE_VULNERABILITIES=yes
>
> > On Jan 11, 2016, at 11:25 PM, Patrick Muldoon <doon at inoc.net> wrote:
> >
> > Updating your ports tree is one thing but are you then upgrading all of
> your installed ports to fix the vulnerable ones?
> >
> > After a portsnap fetch / update dance  and reading of
> /usr/ports/upgrading you can do something like
> >
>
> that should have read the reading of /usr/ports/UPDATING  /sigh
>
> But the rest stands, unless you upgrading your installed ports you
> probably have vulnerable packages installed on your system
>
> pkg audit -F
>
> will show you which ones are vulnerable
>
> and i like using portmaster (/usr/ports/ports-mgmt/portmaster/)
>
> for ports management / upgrades
>
> but there is also portupgrade (/usr/ports/ports-mgmt/portupgrade)
>
>
> on this same note I have
>
> @daily                                  root    freebsd-update cron
> 0       3       *       *       *       root    portsnap -I cron update &&
> pkg version -vIL=
>
> in cron, so that it shows me all the the outdated / updated packages
> daily..  You can also throw a pkg audit in there as well
>
> -Patrick
>
>
> --
> Patrick Muldoon
> Network/Software Engineer
> INOC (http://www.inoc.net)
>
> 'Truly, you have a dizzying intellect.' - Westley, The Princess Bride
>
>
> _______________________________________________
> CDBUG-talk mailing list
> CDBUG-talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/cdbug-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/cdbug-talk/attachments/20160112/a0b022c6/attachment.html>


More information about the CDBUG-talk mailing list