On November 19 2024, these errors appeared on every FreshPorts node: That’s my clue to go look closer as to why the processing failed. This processing is related to the security/vuxml port which documents known vulnerabilities within the FreeBSD ports tree and operating system. This tool helps system administrators identify and patch known problems. The […]
vuxml processing broken – files have grown too much Read More »
I noticed this today: root 58697 0.0 0.0 10680 2180 – IJ 12May20 0:00.00 /usr/local/bin/readproctitle service errors: …/site_perl/FreshPorts/vuxml_parsing.pm line 232, chunk 1.\nWide character in print at /usr/local/lib/perl5/site_perl/FreshPorts/vuxml_parsing.pm line 232, chunk 1.\nWide character in print at /usr/local/lib/perl5/site_perl/FreshPorts/vuxml_parsing.pm line 232, chunk 1.\nUndefined subroutine &FreshPorts::CommitterOptIn::RecordErrorDetails called at ./process_vuxml.pl line 124, chunk 1.\n I should monitor that process better.
For several weeks, FreshPorts had a vuxml processing problem. In this blog post, I will share what I found. Introduction Incoming events for FreshPorts are handled by a small Python script which checks for flags and incoming commits. This ensures that work is carried out serially because parallel work can have unintended consequences. After each
Details of the vuxml processing problem Read More »
If a vuxml entry is updated, and the ranges change, those changes are not recorded in FreshPorts. This came to my attention from the FreeBSD Security team. They noticed that for the recent Oracla Java vuln FreshPorts had all versions for > 7. It boiled down to this: http://www.freshports.org/vuxml.php?vid=16846d1e-f1de-11e1-8bd8-0022156e8794 [1] differs from this: http://www.vuxml.org/freebsd/16846d1e-f1de-11e1-8bd8-0022156e8794.html [2]
Updates to vuxml ranges fails Read More »
Mr Thomas wrote me regarding mail/horde4-imp and a particular vulnerability. Specifically, he figured that a recent commit (link to mail archives) fixed a bad entry in vuxml. Let’s look into that now. I first compared dev, beta, and production. All three had the port flagged as vulnerable. This situation is indicated by a skull at
mail/horde4-imp vulnerability Read More »
A few days ago, I noticed portaudit telling me about a few things that needed to be updated: # portaudit Affected package: rubygem-rails-1.2.3 Type of problem: rubygem-rails — session-fixation vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/30acb8ae-9d46-11dc-9114-001c2514716c.html> Affected package: rubygem-rails-1.2.3 Type of problem: rubygem-rails — JSON XSS vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/44fb0302-9d38-11dc-9114-001c2514716c.html> Affected package: rubygem-activesupport-1.4.2 Type of problem: rubygem-rails — JSON XSS
vuxml issue – vulnx.txt did not contain UTF-8 Read More »
The previous post was based on a question from Martin Wilke, who was looking for a vuxml entry against phpMyAdmin. We eventually found it. It had the wrong dates but it was found. Martin corrected the problem with a followup commit. This incident prompted me to make a couple of changes to FreshPorts with respect
List the vulnerabilities for this port Read More »
This isn’t about detecting vulnerabilities. It is about finding vulnerabilities that others have already reported. Background reading: FreeBSD Porter’s Handbook: Keeping the community informed FreeBSD VuXML Here are the various vuxml pages provided by FreshPorts: The latest vulnerabilities are listed on the home page A complete list of all vulnerabilities by date A complete list
Vulnerabilities – finding them easily (vuxml) Read More »
This isn’t so much a fix for the vuxml problem mentioned previously as it is a fix for properly detecting and reporting fetch errors. The patch is pretty simple: $ cvs di -u utilities.pm Index: utilities.pm =================================================================== RCS file: /home/repositories/freshports-1/scripts/utilities.pm,v retrieving revision 1.16 diff -u -r1.16 utilities.pm — utilities.pm 13 Sep 2007 13:01:41 -0000 1.16
This morning portaudit told me I needed to upgrade PHP5 on a few servers. Again, I checked FreshPorts to see if a fix was in. Apparently it was. Unfortunately, it was wrong. Checking the version of vuln.xml in the ports tree, I found: $ grep ‘$FreeBSD’ ports/security/vuxml/vuln.xml $FreeBSD: ports/security/vuxml/vuln.xml,v 1.1416 2007/09/11 19:40:02 remko Exp $
vuxml configuration still not right Read More »