A few days ago, I noticed portaudit telling me about a few things that needed to be updated:

# portaudit
Affected package: rubygem-rails-1.2.3
Type of problem: rubygem-rails — session-fixation vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/30acb8ae-9d46-11dc-9114-001c2514716c.html>
Affected package: rubygem-rails-1.2.3
Type of problem: rubygem-rails — JSON XSS vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/44fb0302-9d38-11dc-9114-001c2514716c.html>
Affected package: rubygem-activesupport-1.4.2
Type of problem: rubygem-rails — JSON XSS vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/44fb0302-9d38-11dc-9114-001c2514716c.html>
3 problem(s) in your installed packages found.
You are […]

The previous post was based on a question from Martin Wilke, who was looking for a vuxml entry against phpMyAdmin. We eventually found it. It had the wrong dates but it was found. Martin corrected the problem with a followup commit.
This incident prompted me to make a couple of changes to […]

This isn’t about detecting vulnerabilities. It is about finding vulnerabilities that others have already reported.
Background reading:

FreeBSD Porter’s Handbook: Keeping the community informed
FreeBSD VuXML

Here are the various vuxml pages provided by FreshPorts:

The latest vulnerabilities are listed on the home page
A complete list of all vulnerabilities by date
A complete list of all vulnerabilities by package

From that […]

This isn’t so much a fix for the vuxml problem mentioned previously as it is a fix for properly detecting and reporting fetch errors. The patch is pretty simple:

$ cvs di -u utilities.pm
Index: utilities.pm
===================================================================
RCS file: /home/repositories/freshports-1/scripts/utilities.pm,v
retrieving revision 1.16
diff -u -r1.16 utilities.pm
— utilities.pm 13 Sep 2007 13:01:41 -0000 […]

This morning portaudit told me I needed to upgrade PHP5 on a few servers. Again, I checked FreshPorts to see if a fix was in. Apparently it was. Unfortunately, it was wrong.
Checking the version of vuln.xml in the ports tree, I found:
$ grep ‘$FreeBSD’ ports/security/vuxml/vuln.xml
$FreeBSD: ports/security/vuxml/vuln.xml,v 1.1416 2007/09/11 19:40:02 remko […]

After my overnight security report audit came in, I noticed that Apache needed to be upgraded. I went to FreshPorts to see if a fix had been committed. While there, I noticed a lack of vuxml skulls against the latest versions of Apache. Checking the BETA website, I saw it was correctly […]

Repo copies are evil. What are repo copies? A repo copy occurs when you move things around in the repository manually. For example, this commit contains a lot of repo copy work. Ports are being moved from their current category to a new category, ports-mgmt. The original files in the […]

If you have not installed portaudit, you should. It will save you time. A little bit of work by those that maintain the FreeBSD vulnerability database saves a great deal of time for all the sysadmins out there. For example, this morning, I got this email:

The Python listening script is now in production. With a few luser-type problems along the way. Specifically: I have discovered, quite recently, that having the same name for both the NOTIFY command and the LISTEN command is kind of a good strategy when you actually want your listener to be notified. The […]

Following on from the previous post, I found myself with a few hours to myself tonight. The estrogen in the house went out as a group so I managed to do a bit more coding on the FreshPorts listening daemon.