[CDBUG-talk] DISABLE_VULNERABILITIES=yes

freebsd at fongaboo.com freebsd at fongaboo.com
Mon Jan 11 23:12:05 EST 2016 

Hey folks... I was wondering if I could hit y'all up for some help or 
clarification on what I am running into when compiling Apache from ports.

I'm running through a step-by-step tutorial for setting up a 'FAMP' box. 
And running into long compiles of ports that fail at the end, saying some 
library or another has a vulnerability. It suggests updating ports, which 
makes sense off the top of my head.

But if you look below, it notes that you can add 
DISABLE_VULNERABILITIES=yes to the make command, and this 
indeed pushes the build through. But I don't know that ignoring 
vulnerabilities is really the best course of action.

Here's where I should probably note that I am running this in a jail. In 
my understanding, the ports tree manifests within the jail as a read-only 
filesystem that is linked from the host filesystem. In my understanding, 
that means you can't update ports from within the jail.

So I exit out of the jail, and from the host prompt I run:

portsnap fetch
portsnap extract
portsnap update

...and this seems to complete successfully (at the host level).

But when I go back into the jail and try to run the make command, it still 
fails out with the warning about vulnerabilities. Setting 
DISABLE_VULNERABILITIES=yes seems to be the only way to push it through.

If I'm understanding what is going on, I shouldn't be comfortable 
compiling libraries with known vulnerabilities. Should getting ports 
properly updated indeed be my goal?

Would anyone be able to clarify what I am encountering here and suggest 
the best way to proceed?


Thanks,

FONG


---------- Forwarded message ----------
Date: Mon, 11 Jan 2016 22:40:43 -0500
From: Dino Covelli <hey_you at dinocovelli.com>
To: Jonathan Capra <fong at fongaboo.com>
Subject: Apache Install Error

===>   apache24-2.4.16 depends on executable: autoconf-2.69 - found
===>   apache24-2.4.16 depends on executable: autoheader-2.69 - found
===>   apache24-2.4.16 depends on executable: autoreconf-2.69 - found
===>   apache24-2.4.16 depends on executable: aclocal-1.15 - found
===>   apache24-2.4.16 depends on executable: automake-1.15 - found
===>   apache24-2.4.16 depends on executable: libtoolize - found
===>   apache24-2.4.16 depends on package: libiconv>=1.14_8 - found
===>   apache24-2.4.16 depends on shared library: libexpat.so - found (/usr/local/lib/libexpat.so)
===>   apache24-2.4.16 depends on shared library: libapr-1.so - found (/usr/local/lib/libapr-1.so)
===>   apache24-2.4.16 depends on shared library: libpcre.so - not found
===>  pcre-8.37_2 has known vulnerabilities:
pcre-8.37_2 is vulnerable:
pcre -- heap overflow vulnerability
WWW: https://vuxml.FreeBSD.org/freebsd/6900e6f1-4a79-11e5-9ad8-14dae9d210b8.html

pcre-8.37_2 is vulnerable:
pcre -- heap overflow vulnerability in '(?|' situations
WWW: https://vuxml.FreeBSD.org/freebsd/ff0acfb4-3efa-11e5-93ad-002590263bf5.html

1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make[1]: stopped in /basejail/usr/ports/devel/pcre
*** Error code 1

Stop.
make: stopped in /basejail/usr/ports/www/apache24

More information about the CDBUG-talk mailing list